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HOW IMPORTANT IS YOUR DATA? 


Years of family photos. Your entire music 
and movie collection. Office documents 
you've put hours of work into. Backups for 
every computer you own. We ask again, how 
important is your data? 


NOW IMAGINE LOSING IT ALL 


Losing one bit - that’s all it takes. One single bit, and 
your file is gone. 


The worst part? You won't know until you 
absolutely need that file again. 


THE SOLUTION 


The FreeNAS Mini has emerged as the clear choice to 
Save your digital life. No other NAS in its class offers 
ECC (error correcting code) memory and ZFS bitrot 
protection to ensure data always reaches disk 
without corruption and never degrades over time. 


No other NAS combines the inherent data integrity 
and security of the ZFS filesystem with fast on-disk 
encryption. No other NAS provides comparable power 
and flexibility. The FreeNAS Mini is, hands-down, the 
best home and small office storage appliance you can 
buy on the market. When it comes to saving your 
important data, there simply is no other solution. 


systems 


Example of one-bit corruption 


The Mini boasts these state-of-the- 
art features: 


« 8-core 2.4GHz Intel® Atom™ processor 
- Up to 16TB of storage capacity 


¢ 16GB of ECC memory (with the option to upgrade 
to 32GB) 

« 2x 1 Gigabit network controllers 

« Remote management port (IPMI) 

¢ Tool-less design; hot swappable drive trays 

« FreeNAS installed and configured 


Intel, the Intel logo, Intel Atom and Intel Atom Inside are trademarks of Intel Corporation in the U.S. and/or other countries. 


FREENAS 


CERTIFIED 
STORAGE 


With over six million downloads, 
FreeNAS is undisputedly the most 
popular storage operating system 
In the world. 


Sure, you could build your own FreeNAS system: 
research every hardware option, order all the 

parts, wait for everything to ship and arrive, vent at 
customer service because it hasn‘,, and finally build it 
yourself while hoping everything fits - only to install 
the software and discover that the system you spent 
days agonizing over isn’t even compatible. Or... 


MAKE IT EASY ON YOURSELF 


As the sponsors and lead developers of the FreeNAS 
project, ixsystems has combined over 20 years of 
hardware experience with our FreeNAS expertise to 
bring you FreeNAS Certified Storage. We make it 
easy to enjoy all the benefits of FreeNAS without 
the headache of building, setting up, configuring, 
and supporting it yourself. As one of the leaders in 
the storage industry, you know that you're getting the 
best combination of hardware designed for optimal 
performance with FreeNAS. 


Every FreeNAS server we ship is... 


» Custom built and optimized for your use case 

» Installed, configured, tested, and guaranteed to work out 
of the box 

» Supported by the Silicon Valley team that designed and 
built it 

» Backed by a 3 years parts and labor limited warranty 


http://www.iXsystems.com/storage/freenas-certified-storage/ 


Msystems 


As one of the leaders in the storage industry, you 
know that you're getting the best combination 

of hardware designed for optimal performance 

with FreeNAS. Contact us today for a FREE Risk 
Elimination Consultation with one of our FreeNAS 
experts. Remember, every purchase directly supports 
the FreeNAS project so we can continue adding 
features and improvements to the software for years 
to come. And really - why would you buy a FreeNAS 
server from anyone else? 


Reporting 


+ Services 


FreeNAS 1U 

- Intel® Xeon® Processor E3-1200v2 Family 

- Up to 16TB of storage capacity 

¢ 16GB ECC memory (upgradable to 32GB) 

« 2x 10/100/1000 Gigabit Ethernet controllers 
« Redundant power supply 


FreeNAS 2U 
- 2x Intel® Xeon® Processors E5-2600v2 Family 
¢ Up to 48TB of storage capacity 
¢ 32GB ECC memory (upgradable to 128GB) 
¢ 4x 1GbE Network interface (Onboard) - 
(Upgradable to 2 x 10 Gigabit Interface) 
« Redundant Power Supply 
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Editors VVords 


Dear Readers, 


We selected security as the main topic for this BSD issue 
because it is one of the most often repeated needs 
nowadays. We all want security, not only in our virtual 
world, but also in our real-life situations. The meaning of 
security is different for everyone. This can be related to 
different needs, rules and ideas. If we talk about real life, 
security is important no matter what it really means and 
what kinds of conditions need to be fulfilled. This kind of 
security depends on real needs, and it can be described 
by many different rules depending on country, nationality, 
law, or even mood. When | think about IT security, which 
of course Is one of the most important factors in making 
us feel secure in real life dimension, | think about 
standards, procedures and technology. And this BSD 
issue will present you with more information about them. 


The article | will recommend is titled Building a PCI 
Compliant Infrastructure on AWS by Renan Dias. He will 
be building a quite complex AWS infrastructure and he 
will be deploying an application called Guestbook. He 
claims that everything you will learn can be applied to 
any infrastructure running any application. The article is 
long, but | decided not to share it into two issues to make 
your life easier and give you the full guidelines on how to 
secure yourself. | hope you enjoy reading it and start 
building your own infrastructure on AWS. 


The next article will help you secure your IT world. It is 
AWS Infrastructure Security: Deep Dive into Access 
Control Management by Mohamed Farag. In his article, 
Mohamed introduces you to various considerations with 
access control management in AWS infrastructure. You 
will learn different tips and tricks to think through the 
security of your access control management and exploit 
a wide-variety of tools to improve your organization’s 
security infrastructure. And do not omit the Password 
Cracking in UNIX article by Amit Chugh. | hope you will 
find some more support for your individual projects. 


MAGAZINE 


lf you want to start with Raspberry Pi and don’t know 
how, just go to the next pages to read the article titled 
Ready to Land on IoT World with the Raspberry Pi 3 by 
Manuel Daza. 


The next article worth reading is Elastix On Bhyve by 
Abdorrahman Homaei. | would like to add that 
Abdorrahman Homaei’s articles will be published by the 
BSD magazine more regularly. Therefore, if you like his 
writing, please contact him to give some feedback for 
future articles. 


Since | am limited by words for this editorial, please see 
the Table of Contents for a more thorough description on 
the articles. 


We also have a new blog presentation. | think that you 
Know him very well. This month you can meet Hubert 
Feyrer. 


Of course, please do not forget to see our interview for 
this issue. This time Kalin Staykov responds to our 
questions. Check out what he thinks about DevOps. 


Also, | would like to invite you to read the column by Rob 
somerville. It is always a good read. 


As long as we have our dear readers, we have a purpose. 
We owe you a huge THANK YOU, Additionally, we are 
grateful for every comment and opinion, whether positive 
or negative. Every word from you compels us to improve 
the BSD magazine and brings us closer to the ideal 
shape of our publication. 


Best regards, 
Ewa & The BSD Team 


PS. If you want to start a real life open-source journey 
with our rich-content publications, or if you want to get in 
contact with our team, feel free to write to us. 
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News 6 
Ewa Dudzic & The BSD Team 

This column presents the latest news coverage of events, 
product releases and trending topics. 


SECURITY 


Building a PCI Compliant Infrastructure on AWS 10 
Renan Dias 


PCI DSS is a security standard for companies that deal 
with credit card information from schemes like 
MasterCard, Visa, American Express, JCB and Discover. 
However, even if your company does not handle any 
credit card information, it would still be a great idea to 
implement some of PCI’s security standards. In this 
article, Renan will focus on PCI DSS. 


AWS Infrastructure Security: Deep Dive Into Access 


Control Management 30 
Mohamed Farag 


Mohamed introduces you to various considerations with 
access control management in AWS infrastructure. You 
will learn different tips and tricks to think through the 
security of your access control management and exploit 
wide-variety of tools to improve your organization’s 
security infrastructure. 


Password Cracking in UNIX 36 
Amit Chugh 


Passwords are used for performing authentication. The 
system can be authenticated using different ways like 
something which the user knows (passwords), something 
that user has (identification token), or something which 
the user is (biometric). The password can be changed 
easily in case one finds that the same is compromised. In 
this paper, Amit will talk about various password 
cracking tools available for cracking password in UNIX 
environment. 


BHYVE 
Elastix on Bhyve 38 


Abdorrahman Homaei 

Elastix installation is easy but if you want to use FXO/FXS 
PCI-E hardware,you have to Know about Bhyve PCI 
Passthrough. Ihe Bhyve hypervisor supports the passing 
of PCI devices belonging to the host to a virtual machine 
for its exclusive use of them. 


GETTING STARTED 


Ready to Land on loT World 

with the Raspberry Pi 3 42 
Manuel Daza 

Manuel acquired the Raspberry Pi 3 a few months ago. 
It’s not their latest model, where again the power and 
speed have been slightly increased. In this Pi 3 model, 
the main improvement on the previous versions, was the 
inclusion of WiFi and Bluetooth modules on the same 
board, which made it no longer necessary to connect a 
USB to provide these capabilities. And with this, he 
started his journey. 


UNIX BLOG PRESENTATION 


hubertf’s NetBSD Blog a 
Hubert Feyrer 


some time ago | tried to solve some real-world 
geocaching/math problem. In my brute-force approach | 
put a number of jobs on multiple-CPU machines rented 
from Amazon AWS and running NetBSD/Xen. Doing so, | 
discovered that the load distribution was not utilizing all 
CPUs. 


INTERVIEW 
Interview with Kalin Staykov 50 


| was 15 years old when Internet was just starting to 
become popular. We had our first taste of it via dial-up 
phone modems. It was a weird and engaging time. A 
year later, | was introduced to Linux on systems that had 
only 8 MB of RAM. | can recall that tt took about one 
whole day to compile a kernel. 


COLUMN 


With the wounds still open after another heinous terror 
attack in the heart of London, calls are already being 
made that security services must be able to decrypt 
messages from the Facebook owned service, WhatsApp. 
In light of the recent revelations of CIA back-doors in 
smart televisions, is this bluff, rhetoric, or a call for further 
political clampdown on free 


speech? 52 
Rob Somerville 


NetBSD 7.1 Released 


The NetBSD Project 
announced that 
NetBSD 7.1, the 
first feature update 
of the NetBSD 7 
release branch, is 
available to 
download. It 
represents a 
selected subset of 
fixes deemed 
important for security or stability reasons, as well as new 
features and enhancements. Some highlights of the 7.1 
release are: 


NetBSD 
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¢« Support for Raspberry Pi Zero. 


¢ Initial DRM/KMS support for NVIDIA graphics cards via 
nouveau (Disabled by default. Uncomment nouveau 
and nouveaufb in your kernel config to test). 


- The addition of vioscsi, a driver for the Google 
Compute Engine disk. 


« Linux compatibility improvements, allowing, e.g., the 
use of Adobe Flash Player 24. 


¢ wm(4) 
¢ ODROID-C1 Ethernet now works. 
« Numerous bug fixes and stability improvements. 


Complete source and binaries for NetBSD 7.1 are 
available for download at many sites around the world. A 
list of download sites providing FTP, AnonCVS, SUP and 
other services may be found at 


http://www.NetBSD.org/mirrors/ 


source: 


https://www.netbsd.org/releases/formal-7/NetBSD-7.1.ht 
ml 


NEWS 


Google's 2017 Summer of Code 
Program 


The FreeBSD 
Project 
announced 
that it will 
participate in 
Google's 
2017 Summer 
of Code 
program, 
which funds 
summer 
students to 
participate in 
open source 
projects. This will be the FreeBSD Project's thirteenth 
year in the program, having mentored over 200 
successful students through summer-long coding 
projects between 2005 and 2016. 


Past successful projects have included improvements to 
Linux ABI emulation, NFSv4 ACLs, TCP regression 
testing, FUSE file system support, and countless other 
projects. Many students go on to become FreeBSD 
developers, as well as participating in FreeBSD 
developer events around the world through continuing 
support from the FreeBSD Foundation. 


source: 
httos://www.freebsd.org/projects/summerofcode. html 


OpenSSH 7.5 Released 


OpenSSH is the premier connectivity tool for remote 
login with the SSH protocol. It encrypts all traffic to 
eliminate eavesdropping, connection hijacking, and other 
attacks. In addition, OpenSSH provides a large suite of 
secure tunneling capabilities, several authentication 


methods, and sophisticated configuration options. The 
OpenSSH suite consists of the following tools: 


Remote operations are done using ssh, scp and sftp. 


Open'’Sst 


KEEPING YOUR COMMUNIQUES SECRET 
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Key management with ssh-add, ssh-keysign, 
ssh-keyscan and ssh-keygen. 


The service side consists of sshd, sftp-server and 
ssh-agent. 


OpenSSH is developed by a few developers of the 
OpenBSD Project and made available under a BSD-style 
license. 


source: httos://www.openssh.com/ 


iXsystems Launches FreeNAS 
Corral, an Open Source Solution 
for Building Hyper-converged 
Infrastructures 


FreeNAS Corral, the latest version of FreeNAS, combines 
sophisticated storage, virtualization, containers, and GUI 
management in a brand new interface 

iXsystems, the industry leader in storage and servers 
driven by Open-Source, released FreeNAS 10 and 
unveiled the FreeNAS Corral brand. With FreeNAS Corral 
(formerly FreeNAS 10), iXsystems introduces the next 


FreeNAS 
BS corral. 
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generation of the world’s most popular Open-Source 
software-defined storage software. FreeNAS Corral 
extends FreeNAS’ enterprise-grade storage capabilities 
by adding a virtual machine and Docker container 
management. FreeNAS Corral enables the integration of 
software-defined storage into VMs and provides 
persistent storage for Docker containers. These 
enhancements are provided through a re-designed 
graphical user interface (GUI) and a powerful command 
line interface (CLI), making FreeNAS both easier to use 
and more capable than ever. The new Corral name 
represents what this release does best: corralling data, 
virtual machines, containers, and storage services under 
one management interface. 


“FreeNAS Corral catapults the world’s most popular 
storage OS into a new category by combining FreeNAS’ 
renowned storage services with Docker containers and 
full-machine virtualization capabilities. We’re now 
enabling users and developers to build hyper-converged 
solutions to support their web-scale applications,” said 
Brett Davis, Executive Vice President of iXsystems. “The 
Corral name represents the next generation in enterprise 
grade services contributed by iXsystems to the Open 
Source community. Only a new name could do justice to 
such a giant evolutionary step.” 

FreeNAS Corral introduces an intuitive new graphical 
user interface, a scriptable command line interface, and a 
powerful websocket API that can automate and control 
every aspect of the FreeNAS Corral software. It also 
includes the bhyve hypervisor for virtualization and 
Docker container services. FreeNAS Corral includes easy 
to use VM templates, which provide fully set up, 
pre-installed versions of multiple guest operating 
systems including TrueOS, FreeBSD, SmartOS, and 
several GNU/Linux distributions, including CentOS, 
Debian, and Ubuntu. VMs can also be created for a 
variety of Windows environments using a user-provided 
installation media. 

Rather than using the cloud to develop, test and deploy 
applications, FreeNAS Corral, with its storage, VM, and 
container services, can be easily used instead. 


When it comes to storage, early users found provisioning 
storage with FreeNAS Corral to be more intuitive and 
accomplished in a shorter amount of time than with 
previous versions of FreeNAS. These early users also 
found that FreeNAS Corral’s VM and Docker container 
support enabled them to easily host their application 
solutions while using FreeNAS Corral’s storage services. 
FreeNAS Corral seamlessly supports Docker containers 
from dockerhub, enabling DevOps teams to manage, 
deploy, and scale trusted and business-ready 


applications across FreeNAS Corral instances 
cooperatively with the cloud. 

“Thousands of early FreeNAS 10 testers have already 
seen and deployed many of the revolutionary 
enhancements that FreeNAS Corral is delivering. This 
release of FreeNAS Corral gives even more users the 
opportunity to see all the revolutionary enhancements 
that continue to make FreeNAS the world’s leading 
Open-Source storage system. It provides all the features 
of FreeNAS while remaining 100% Open-Source, also 
fully leveraging other open-source infrastructures like 
GitHub and Docker Hub,” said Jordan Hubbard, CTO of 
iXsystems and head of the FreeNAS Corral project. “We 
look forward to continued collaboration with the Open 
Source development community!” 

FreeNAS Corral is a ground-up rewrite of FreeNAS that 
allows for future innovation in the product while 
supporting all the storage features of FreeNAS 9.10. 
Users can download FreeNAS Corral at 
freenas.org/download or upgrade their 9.10.x systems in 
place by selecting the FreeNAS-Corral-STABLE train 
from the Update tab of the FreeNAS GUI or installing 
FreeNAS Corral from the ISO image and picking the 
option to install into a new Boot Environment. 


source: 


httos://www.ixsystems.com/blog/ixsystems-launches-free 


nas-corral-open-source-solution-building-hyper-converge 
d-infrastructures/ 


Qt 5.7.1, KDE Frameworks 5.31 
Landed 


The KDE-FreeBSD team announced the immediate 
availability of Qt 5.7.1 and KDE Frameworks 5.31 in the 
official FreeBSD ports tree; check out FreshPorts for the 
latest ports news. 


This release adds one new KDE Framework, Kirigami 2. It 
also enables the Qt4 and Qt5 ports to live together, more 
harmoniously. In particular, it adds misc/qtchooser, which 
allows developers and sysadmins to manage multiple 
concurrent Qt installations. We advise users to consult 
the UPDATING entry for 20170218. 


source: 


httos://freebsd.kde.org/news.php#itemQts71KDEFramew 
orks53 1landed 


EuroBSDcon 2017 


EuroBSDcon is the 
oremier European 
conference on the 
open-source BSD 
operating systems 
attracting about 250 highly 
skilled engineering 
professionals, software 
developers, computer science students and professors, 
and users from all over Europe and other parts of the 
world. The goal of EuroBSDcon is to exchange 
knowledge about the BSD operating systems, facilitate 
coordination and cooperation among users and 
developers. 

The conference will be held at the Espace Saint Martin in 
Paris the 21-24 September 2017 


Call for Proposals 

The tutorials will be held on Thursday and Friday to 
enlisted participants and the talks are presented to 
conference attendees on Saturday and Sunday. 

The call for Talk and Presentation proposals period will 
close on April 30th, 2017. 


Call for Talk and Presentation Proposals (CFP) 

The EuroBSDcon program committee is inviting BSD 
developers and users to submit innovative and original 
talk proposals not previously presented at other 
European conferences. Topics of interest to the 
conference include but are not limited to applications, 
architecture, implementation, performance and security 
of BSD-based operating systems, as well as topics 
concerning the economic or organizational aspects of 
BSD use. Presentations are expected to be 45 minutes 
and are to be delivered in English. 


Call for Tutorial Proposals 

The EuroBSDcon program committee is also inviting 
qualified practitioners in their fields to submit proposals 
for half or full day tutorials on topics relevant to 
development, implementation and use of BSD-based 
systems. Half-day tutorials are expected to be 2.5 to 3 
hours and full-day tutorials 5 to 6 hours. The tutorials and 
talks are to be delivered in English. 


Submissions 
Proposals should be sent by email to submission at 
eurobsdcon.org. 


Source: httos://2017.eurobsdcon.org/news/ 


Performance and 
Reliability is critical 


Download syslog-ng Premium Edition 
product evaluation here 


Attend to a free logging tech webinar here 


BalaBit 


IT Security 


www.balabit.com 


syslog-ng log server 


The world’s first High-Speed Reliable Logging™ technology 


HIGH-SPEED RELIABLE LOGGING 


=m above 500 000 messages per second 


= zero message loss due to the 
Reliable Log Transfer Protocol™ 


= trusted log transfer and storage 


SECURITY 


Building a PCI Compliant 
Infrastructure on AWS 


Infrastructure security has become one of the most 
important topics in the IT industry nowadays. More and 
more we witness attacks being carried out against big 
and small companies. That is why it is so important to 
Know how to protect your infrastructure and your 
systems. To help organizations do that, there area 
number of different security standards: PCI DSS, Red 
Flag, HIPAA/HITECH Security, NIST, NERC, ISO 27002 
etc. In this article, we will focus on PCI DSS. 


PCI DSS is a security standard for companies that deal 
with credit card information from schemes like 
MasterCard, Visa, American Express, JCB and Discover. 
However, even if your company does not handle any 
credit card information, it would still be a great idea to 
implement some of PCI’s security standards. 


Solution 


We will be building a quite complex AWS infrastructure 
and we will be deploying an application called 
Guestbook. The Guestbook is a program written in Go 
which adds guests to a list using Redis. This application 
is part of the sample applications which are provided by 
Kubernetes for users to try Kubernetes out. The reason 
why | chose to use this sample application instead of 
coding one from scratch, is because the main objective 
of this article is to show you how to protect your 
infrastructure by applying security standards, not to 
demonstrate application development. 


Everything that you will learn here can be applied to any 
infrastructure running any application. 


Technology stack 


We will be using the following operating system, cloud 
provider and programming language: 
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« Amazon Web Services 


« VPC (Subnets, Internet Gateway, Route Tables, 
NAT Gateways) 


- ElastiCache (Redis) 
- EC2 
« Elastic Load Balancer (ELB) 
¢ Routed3 
¢« Ubuntu 16.04 LTS 


Go programming language - you do not need to have 
previous programming experience in Go as the code will 
be provided 


Infrastructure Components 


This is the AWS infrastructure that we will be building 
(see Figure 1): 


¢« An Amazon VPC with six (6) subnets - three (8) public 
subnets and three (3) private subnets 


- A Redis cluster 


« An Elastic Load Balancer (ELB) which will be deployed 
to the Demilitarized Zone (DMZ) 


¢« A Bastion host which will also be deployed to the DMZ 
¢« An EC2 instance which will run our application 


« Security Groups to protect the bastion host, the ELB 
and the instance 


- ANAT Gateway to allow the private EC2 instance to 
communicate with the Internet 


Note that the resources above might be deployed to any 
of the availability zones. For example, the guestbook EC2 
instance can be deployed to us-east-1a, us-east-1b or 
us-east-1c, so long as It is deployed to a private subnet. 


Infrastructure Requirements 


PCI DSS contains over 300 requirements to be fully 
compliant. Due to space constraints, we will implement 
just a small set of these requirements. 


By the end of this article, you will have implemented the 
following PCI requirements (the number in parentheses is 
the PCI section number): 


1 - Is a firewall required and implemented at each 
Internet connection and between any demilitarized zone 
(DMZ) and the internal network zone?(1.1.4a) 


inmernet 


guestbook.domain.com 
Amazon 


Route 53 


Imernet 
Gateway 


Bastion 


Publ: «- 172.20.0.0/20 Public - 


2 - Are firewall and router rule sets reviewed at least 
every six months? (1.1.7b) 


3 - Do firewall and router configuration standards require 
review of firewall and router rule sets at least every six 
months? (1.1.7a) 


4 - Is inbound and outbound traffic restricted to that 
which is necessary for the cardholder data environment? 
(1.2.1a) 


5 - Is all other inbound and outbound traffic specifically 
denied (for example by using an explicit "deny all” or an 
implicit deny after allow statement)? (1.2.1b) 


6 - ls aDMZ implemented to limit inbound traffic to only 
system components that provide authorized publicly 
accessible services, protocols, and ports? (1.3.1) 


7 - Is outbound traffic from the cardholder data 
environment to the Internet explicitly authorized? (1.3.4) 


Sn Inbound traffic 


—-_— — ~— eS Outbound traffic 


Public - 172.20.32.0/20 


redis.guestbook.internal ER: 


Guestbook 


Prvate - 172.20 48.0/20 Private « 172.20.64.0/ 
. . uS-east-la : ) q us-east- -east-1b 


172.20.0.0/16 


Figure 1. A graphical view of the infrastructure 
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8 - Are only established connections permitted into the 
network? (1.3.5) 


9 - Are system components that store cardholder data 
(such as a database) placed in an internal network zone, 
segregated from the DMZ and other untrusted networks? 
(1.3.6) 


10 - Are configuration standards developed for all system 
components and are they consistent with 
industry-accepted system hardening standards? (2.2a) 


sources of industry-accepted system hardening 
standards may include, but are not limited to, SysAdmin 
Audit Network Security (SANS) Institute, National 
Institute of Standards Technology (NIST), International 
Organization for Standardization (ISO), and Center for 
Internet Security (CIS). 


11 - Is only one primary function implemented per server, 
to prevent functions that require different security levels 
from co-existing on the same server? (2.2.1a) 


12 - For TLS implementations, is TLS enabled whenever 
cardholder data is transmitted or received? (4.1¢e) 


13 - Are development/test environments separate from 
the production environment? (6.4.1a) 


14 - Is there a formal Risk Mitigation and Migration Plan 
in place for all implementations that use SSL and/or early 
TLS (other than as allowed in A2.1), that includes:(A2.2) 


15 - Are methods in place to prevent the disclosure of 
private IP addresses and routing information to the 
Internet? (1.3.7a) 


Note: Methods to obscure IP addressing may include, 
but are not limited to: 


Network Address Translation (NAT) 


Placing servers containing cardholder data behind proxy 
servers/firewalls 


Removal or filtering of route advertisements for private 
networks that employ registered addressing. 


Internal use of RFC1918 address space instead of 
registered addresses. 


As soon as we build a piece of infrastructure which 
complies to any of the requirements above, there will be 
a section to discuss how the requirement was complied. 
And even if we do not comply entirely, we will be 
discussing what else should be done so the requirement 
is fully complied. 


Ready to rock? 
Virtual Private Cloud (VPC) and Subnets 


Let’s start by creating a Virtual Private Cloud (VPC) and a 
few subnets. If you haven’t logged in to the AWS 
console, do so now. After you log in, head over to the 


A VPC is an isolated portion of the AWS cloud populated by AWS objects, such as Amazon EC2 
instances. You must specify an iPv4 address range for your VPC. Specify the IPv4 address range as a 
Classless inter-Domain Routing (CIDR) block: for example, 10.0.0.0/16. You cannot specify an IPv4 
CIDR block larger than /16. You can optionally associate an Amazon-provided IPv6 CIDR block with the 
VP e , 
Name tag vpc-uSs-east-1-questbook-prod 1 
IPv4 CIDR block* = 172.20.0.0/t¢ i 


IPv6 CIDR block* No [Pv6 CIDR Block 


Amazon provided IPv6 CIDR biock 


Tenancy Default — ¢> 


Figure 2. Create VPC 


12 


VPC console, click on Create VPC (see Figure 2) and use 
the following information: 


For the Name Tag, type in 
voc-us-east-1-guestbook-prod (this is just a Suggestion, 
you can choose any name you would like). For the IPv4 
CIDR block, enter the Class B address 172.20.0.0/16. 
Then, select No [/PV6 CIDR Block and Default for IPv6 
CIDR block and Tenancy, respectively. 


After your VPC is created, select it and click on Actions 
at the top. Then, click on Edit DNS Hostnames and 
select Yes. You will understand why we are doing this 
later on. 


Now that we defined the CIDR block of our VPC, we 
need to calculate the address that will be use for the 6 
subnets. 


The network will have the address 172.20.0.0/16 (default 
netmask is 255.255.0.0), which means that out of 32 bits, 
16 bits are reserved for the network, and 16 bits will be 
used for subnets and hosts: 


11111111.11111111.00000000.00000 
000 


|----------- Network ----------- | |------ Subnets and 


The formula to calculate the number of subnets in a 
network Is as follows: 


2x 


Where x is the number of 1s that were set for the subnet. 
Since we need only 6 subnets, then x = 3, or 243 = 8 
subnets seems to be appropriate at first. However, 8 
subnets is quite tight, especially if later we wish to create 
three (3) or more subnets for some reason. | suggest we 
go for x = 4, which would give us 244 = 16 subnets and a 
netmask of 255.255.240.0 (/20). 


Now, to calculate the number of hosts per subnet, the 
following formula is used: 


2x -2 


Where x is the number of 1s that were set for hosts. In 
this formula, it is subtracted two (2) from 24x because, 
for each subnet, the first IP address is the address of the 
subnet and last IP address is the broadcast address 
(used to send datagrams to all hosts). Since, out of the 
remaining 16 bits, 4 bits will be used for the subnets, 12 
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bits will be used for hosts, which gives us 2412 - 2 = 
4094 hosts per subnet 


Next step will be to actually calculate the addresses of 
each of the six (6) subnets. 


Here’s how we'd calculate the address range of the first 
subnet: 


11111111.11111111.00000000.00000000 (first address) 
172 20. O.. O 


11111111.11111111.00001111.11111111 (last address) 
172 20 15 299 


So, the first IP address (Subnet address) would be 
172.20.0.0/20 and the last IP address (broadcast 
address) would be 172.20.15.255/20. The IP address 
between these two (2) will be used for hosts. 


Let’s calculate now the address range for the second 
subnet: 


11111111.11111111.00010000.00000000 (first address) 
172 20 16—C 0 


1194119111.11111111.00011111.11111111 (last address) 
172 20 31 295 


The first IP address (Subnet address) would be 
172.20.16.0/20 and the last IP address (broadcast 
address) would be 172.20.31.255/20. | believe you 
already noticed a pattern which will help us calculate the 
rest of the address ranges without writing down Os and 
1s. The first and second octet (8 bits) never change. The 
third octet increases 16 units for every subnet, and the 
fourth octet is always 0 (for the first address) and 255 (for 
the last address. We can, therefore, conclude from that, 
that we need to add 16 units to the third octet for each 
subnet. This will give us the following address ranges: 


First subnet: 172.20.0.0/20 - 172.20.15.255/20 
second subnet: 172.20.16.0/20 - 172.20.31.255/20 
Third subnet: 172.20.32.0/20 - 172.20.47.255/20 
Fourth subnet: 172.20.48.0/20 - 172.20.63.255/20 
Fifth subnet: 172.20.64.0/20 - 172.20.79.255/20 
Sixth subnet: 172.20.80.0/20 - 172.20.95.255/20 


Phew! We finally have all address ranges and can create 
the subnets. However, before we create the subnets, let’s 


snpr-us-easi-1a-prod subnet-4faSn606 avalable voc 1a85fe7e!... 172.20.48.0/20 409° usS-easi-1a 


snpr-us-aast: 1b-orod subnet-bf290de4 aealable voc: 1a85fe7c 172.20. 64. 0/20 409" us-east- 1b 
snpr-us-east-10-prod subnet-07 e285 avalable vpc- 1abdle/c 172.20 80.020 409" uS-@ast-1c 
SnpU-us-east-la-prod su>net-8OanbSc9 avelable vpc- 1 a8Sle/c 72200. 020 409" uSs-east-la 
Spu-us-eest-1b-prod subnet-B290da3 avelable vpoc-1a85le7c 172.20.16.0/20 409" us-eest-1b 
sipu-us-east-1c-prod subnet-227 146247 avelable voo-1a85fe7e!... 172.20.32.0720 409" us-east-ic 


Figure 3. Subnet’s List 


quickly discuss a naming convention. We will use the Note: pu will be used for public subnets and pr will be 
following naming convention for naming the subnets: used for private subnets. 

So, | OUl/ jue | = [SC Lom | lawetLelsu Licey For instance, if we wish to create a public subnet for the 
zone]- [environment] production environment on the North Virginia region and 


availability zone A, we would name the subnet: 


Sinjoul— US Saisie — lhe (OOo! 


vpc- 1a8Sfe7c | vpc-us-east-1-questbook-prod 


Summary Flow Logs Tags 
YPC ID: woo-1e85te/c | vpo-uws-east-1- 
Questbook- prod 
State: salutes Tenancy: Default 
v4 CIOR: 172.20.0.0/°16 ONS resofution: yes 
iPv6 CIDR: ONS hostnames: yes 
DHCP options set: dopl-4bdeSize ClassicLink ONS Suppert: no 


Route table: ‘-1646cbé6" 


QO ach-ca/8/Zac x 
Name + WNetwork ACL ID . Associated With ~ Default . VPC 
- act-ca7é7?2ac 6 Subnets Yes ypc tabSfe7c | vpo-us-east-1 -quesibook.-. 
acl-ca7872ac 
Summary Inbound Rules Outbound Rules Subnet Associations Tags 


Allows inbound tratiic, Because network ACLs are stateless, you must create inbound and outbound rules 


View: All rules ; 
Rule # Type Protecol PortRange Source Allow / Deny 
100 ALL Traffic ALL ALL 0.0.0.00 ALLOW 
ALL Traffic ALL ALL 00.0.00 DENY 


Figure 5. Inbound Rules tab 
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On the left panel of the VPC console, click on Subnets 
and create six (6) subnets using the information below: 


Name tag: snpu-us-east-1a-prod 
VPC: vpc-us-east-1-guestbook-prod 
Availability Zone: a 

IPv4 CIDR block: 772.20.0.0/20 


Name tag: snpu-us-east-1b-prod 
VPC: vpc-us-east-1-guestbook-prod 
Availability Zone: b 

IPv4 CIDR block: 772.20.16.0/20 


Name tag: snpu-us-east-1c-prod 
VPC: vpc-us-east-1-guestbook-prod 
Availability Zone: c 

IPv4 CIDR block: 772.20.32.0/20 


Name tag: snpr-us-east-1a-prod 
VPC: vpc-us-east-1-guestbook-prod 
Availability Zone: a 

IPv4 CIDR block: 772.20.48.0/20 


Name tag: snpr-us-east-1b-prod 
VPC: vpc-us-east-1-guestbook-prod 
Availability Zone: b 

IPv4 CIDR block: 172.20.64.0/20 


Name tag: snpr-us-east-1c-prod 
VPC: vpc-us-east-1-guestbook-prod 
Availability Zone: c 

IPv4 CIDR block: 772.20.80.0/20 


Surmemnary inbound Rules Outbound Rules 


: , a t.- » bdo , 
as npow cj ian | i. ay Ls Tee es 


View. 


Rule @ Type Protocol 


All [UP [Lr i 


ALL Trafic All 


Figure 6. Rules 


Summary inbound Rules 


Outbound Rules 


After creating all the subnets, the console should list as it 
is shown on Figure 3. 


Before we move on to create the Internet Gateway, we 
need to change a rule in the VPC’s Network Access 
Control List (NACL). Briefly, a NACL is a firewall at the 
subnet level. When we created the VPC, a rule that 
allows all kinds of traffic from everywhere was created as 
well in the default NACL. What we need to do Is restrict 
this rule to only allow TCP traffic. Click on Your VPCs 
and select the VPC you have just created. At the bottom 
of the page, there will be some information about this 
VPC, including the NACL’s ID (See Figure 4). 


Click on the Network ACL ID. Then, select this ACL and 
click on the Inbound Rules tab (See Figure 5). 


Then, click on Edit. For the Type column (do not create a 
new rule, just edit the existing one), select ALL TCP and 
click on Save. You should have the following rules as it is 
shown on Figure 6. 


Now, click on the Outbound Rules tab and do exactly 
the same. After you change the rule, you should have the 
following as it is shown on Figure 7. 


PortRange Source Allow / Deny 


ALLOW 


DENY 


Subnet Associations lags 


Allows outbound traffic. Because network ACLs are stateless, you must create inbound and outbound rules 


View: Allrules = 
Rule # Type Protocol Port Range Destination Allow / Deny 
100 ALL TCP ICP (6) ALL 0.0.0.0/0 ALLOW 
ALL Traffic ALL ALL 0.0.0.0/0 DENY 


Figure 7. Changing the rule 
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Compliance achieved: requirements 1.2.1b, 1.3.1 


By restricting inbound and outbound traffic, we achieve 
the following requirement: 


Is all other inbound and outbound traffic specifically 
denied (for example by using an explicit "deny all” or 
an implicit deny after allow statement)? (1.2.1b) 


If you take a look at both inbound and outbound rules, 
you will see that the last one (which is default for all 
Network ACLs) is a deny-all rule. 


Also, because we created public subnets (Demilitarized 
Zone), our infrastructure complies with the following 
requirement: 


Is a DMZ implemented to limit inbound traffic to only 
system components that provide authorized publicly 
accessible services, protocols, and ports? (1.3.1) 


There is one more requirement that we haven’t complied 
yet, but it would be really easy to comply with: 


Are development/test environments separate from 
the production environment? (6.4.1a) 


lf we wanted to have a few more environments 
(development, staging, testing etc) instead of just 
production, we’d create new VPCs and follow the same 
setup that we will do throughout the rest of the article - 
and that would be enough to make our infrastructure 
comply with requirement 6.4.1a. 


Internet Gateway (IGW) 


In order for users to interact with our application, we 
need a mechanism that will allow our server to 
communicate with the Internet. This mechanism is a VPC 
component called Internet Gateway. 


Create Internet Gateway 


Name tag Jw-us-east-' 


lf you are still on the VPC management console, look for 
Internet Gateways on the left-hand panel. Then, hit 
Create Internet Gateway (See Figure 8). 


Name your Internet Gateway igw-eu-east- 1-guestbook 
and click on Yes, Create. After you create it, you will 
notice that in the state column it reads detached. That is 
because an Internet Gateway needs to manually be 
attached to a VPC. Select your newly created IGW, then 
click on Attach to VPC. Select your VPC and hit Yes, 
Attach. Well done! Next, we will need a Network 
Translation Address (NAT) instance. 


Network Translation Address (NAT) 
instances 


When you have instances running on private subnets, 
there needs to be a way for them to communicate with 
the Internet. And | bet you might have just thought: “Isn’t 
that what the Internet Gateway is for?” - You’re right, it is! 
However, instances running on private subnets do not 
have a public IP address, which means that their traffic 
would not be routable through the Internet. This means 
that these private instances need to “borrow” a public IP 
address from some other machine. And this other 
machine, on the AWS context, is called Network 
Translation Address (NAT). Basically, you would run NAT 
instances on the public subnets and would give them a 
public IP address. Then, you would configure the private 
subnets’ route table to send all traffic coming from the 
private instances to the NAT. The NAT, in turn, would 
forward this traffic to the Internet using its own public IP 
address, making the traffic routable. When the traffic 
comes back, the NAT forwards it back to the instance. 


Note that this whole explanation is for the case when the 
instance initiates the traffic. If the user on the Internet 
initiates the traffic, however, it would not go through the 
NAT because the user wouldn’t know the private IP 


Figure 8. Create Internet Gateway 


address of the instance. In this case, we would need an 
Elastic Load Balancer, which would act as a proxy (we'll 
get there soon). 


There are two main ways to create NAT instances. The 
first and hardest way, would be to launch EC2 instances 
on the public subnets, using a NAT AMI. If you click on 
Launch Instance, then click on Community AMIs (on 
the left-hand side) and type in “NAT”, you will have plenty 
of NAT AMIs to choose from. Also, another important 
thing that you would need to configure is the 
Source/Destination Check. Remember when | said that 
the NAT would forward a private instance’s traffic to the 
Internet, and from the Internet back to the instance? 
Well, since the NAT instance is neither the source nor 
destination of the traffic, it needs to be configured to 
ignore the source and destination information on the 
packets. If you are still confused, don’t worry because it 
is quite complex. But, let me give you more examples. 
When an EC2 instance receives network traffic, it checks 
on the packets whether the instance itself is the source 
or destination of the traffic. If the instance is neither the 
source nor the destination of the traffic, it will drop the 
packet, thus ignoring the traffic. Now, if the NAT instance 
were to do that, all the traffic coming from the private 
instances would be dropped, because the NAT, in most 
cases, is neither the source nor the destination of the 
traffic. This is why NAT instances need to be configured 
not to check the source/destination information on the 
packets. Ok, let’s talk about now the second way to 
create NAT instances (which is far easier). The second 
way would be to use Amazon’s NAT service called NAT 
Gateways. NAT Gateways are NAT instances which are 
managed by Amazon and can support bursts up to 10 
Gbps of bandwidth. This is quite handy because if you 
launch your own EC2 instance and there’s a huge burst 
of bandwidth, your NAT instance might not be able to 
handle the whole traffic depending on its size. 


Create a NAT Gateway 
Laan mow 
Subnet" 


Elastic IP Allocation ID" 


Figure 9. NAT Gateway 
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For this article, we will use NAT Gateways because of its 
convenience. If you wish to use NAT instances, however, 
you can follow this tutorial from AWS: 


http://docs.aws.amazon.com/AmazonVPC/latest/UserGu 
ide/VPC NAT Instance.html 


Before you create a NAT Gateway, you will need one 
piece of information: the ID of subnet to which you would 
like AWS to deploy a NAT Gateway. On the VPC 
management console, click on Subnets and copy the ID 
of one of the public subnets. Then, click on NAT 
Gateways on the left-hand side, and click on Create 
NAT Gateway (see Figure 9). 


Paste the subnet ID on the first text field. Now, the 
second text field asks for an Elastic IP Allocation ID. An 
Elastic IP on AWS is just a public IP address which will 
be allocated to your instances. If you already have 
created Elastic IPs, grab the allocation ID from one of 
them and paste here, otherwise, click on Create New 
EIP. If you hit Create New EIP, AWS will create an 
Elastic IP automatically and fill in the text field for you. 
When you’re done, click on Create a NAT Gateway. 


For this article we will only create one NAT Gateway as 
NAT Gateways aren’t as cheap as t2.micro instances. In 
Northern Virginia, for example, a NAT Gateway costs 
around $32 per month, while a t2.micro instance costs 
less than $10. If you would like to have a scalable 
infrastructure, however, you would need to deploy one 
NAT Gateway per public subnet, so the load is 
distributed. 


Compliance Achieved: requirement 1.3.7a 


By creating a NAT instance on the public subnet, we 
achieve the following requirement: 


i 


Create New EIP €) 


19 - Are methods in place to prevent the disclosure of 
private IP addresses and routing information to the 
Internet? (1.3.7a) 


Note: Methods to obscure IP addressing may include, but 
are not limited to: 


Network Address Translation (NAT) 


Placing servers containing cardholder data behind proxy 
servers/firewalls 


Removal or filtering of route advertisements for private 
networks that employ registered addressing. 


Internal use of RFC1918 address space instead of 
registered addresses. 


Having a NAT instance is just one of the ways to achieve 
this requirement. We will soon deploy our application 
behind a proxy, which will also comply with requirement 
1.3.7a. 


Route Tables 


When you create a new VPC, traffic is only routable 
locally. This means that, even though you create a NAT 
Gateway and an Internet Gateway, the traffic still wouldn’t 
leave the VPC. In order for that to happen, we need to 
add a few rules to the route tables. If you click on Route 
Tables (VPC console), you will notice that AWS has 
already created a default route table for your VPC. In my 
projects, | always create new route tables and leave the 
default one unused. However, if you'd like to use the 
default route table, go ahead. For this article we will 
create new route tables. 


Click on Create Route Table, name it 
rt-us-east-1-guestbook-1 and select your VPC: 


Create Route Table + 


Narre i tan i : «) 
VPC : 6 


= 


After you hit Yes, Create, click on the Routes tab at the 
bottom of the page. This will be the route table of the 
public subnets, which means that there needs to be a rule 
which directs the traffic to the Internet Gateway. 
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Click on Edit and then click on Add another route. Use 
0.0.0.0/0 (which means any IP address) as destination 
and the Internet Gateway’s ID as target. This rule is 
basically saying: “whenever there is a traffic whose 
destination is not from the 172.20.0.0/16 address space, 
direct it to the Internet Gateway”. Hit Save to finish 
editing. 


Now create another route table called 
rt-us-east-1-guestbook-2, add the NAT Gateway as Target 
and hit Save: 


To make sure the route table contains valid routes, make 
sure the Status of all entries is Active. 


After you created both route tables, it is time to associate 
these with the subnets. Click on Subnets and filter by 
your VPC if necessary. Once you located all the six 
subnets, for each of them, do the following: 


Select the subnet, select the Route Table tab and click 
on Edit 


lf the subnet is public, select the 
rt-us-east-1-guestbook-1 route table and save 


If the subnet is private, select the 
rt-us-east-1-guestbook-2 route table and save 


Security Groups 


Security groups are a crucial part of any AWS 
infrastructure because it has the same functionality as a 
firewall. However, you can only specify allow rules, and 
not deny rules. For example, suppose you wanted to deny 
access to your application to a certain public IP address. 


This would not be possible with security groups because 
you wouldn't be able to create a rule which denies 
access to the instance to this IP address. The solution to 
this problem would be to create a Network Access 
Control List (NACL), instead. Right, so what’s the 
difference between Security Groups and NACL? Here are 
the main differences: 


NACL are applicable at the subnet level, while Security 
Groups are applicable at the instance level 


As already mentioned, only allow rules can be specified 
in Security Groups. While in NACL, you can specify both 
allow and deny rules; 


Security Groups are stateful, while NACL are stateless. 
To understand what this means, you need to understand 
what’s the difference between inbound and outbound 
rules. When a client initiates the connection with a server, 
the traffic is analysed by the inbound rules. However, 
when the server replies to the client, the outgoing traffic 
is analysed by the outbound rules. Now, think of the 
following scenario: a client machine wants to access 
your server on port 5000. If you are using Security 
Groups, you only need to create an inbound rule allowing 
traffic on port 5000. However, you do not need to create 
an outbound rule allow outgoing traffic on port 5000 
because the Security Group knows that the traffic was 
initiated by the client and not the server. The contrary is 
also valid - if your server initiates the traffic, you only 
need to specify an outbound rule allowing traffic on port 
5000 (when the traffic comes back from the client, the 
inbound rules would not stop the traffic because the 
server initiated it). Now, the same does not happen with 
NACL. NACLs do not know who started the traffic (they 
do not keep state), which means that if a connection 
comes in for the server on port 5000, you need to have 
an inbound rule to allow the traffic in, and also an 
outbound rule (same port) to allow the traffic back. In 
summary, Security Groups keep track of the “state” of 
the traffic, while NACLs do not; 


NACLs apply the rules to incoming and outgoing traffic in 
a certain order. Let’s Suppose you create a rule 
numbered 100 which allows UDP traffic on port 4638. 
Then, you create a rule numbered 200 which denies UDP 
traffic on the same port. When the traffic comes, the rule 
number 100 will be applied first, which means that the 
traffic will be allowed to go through, even though rule 
number 200 denies the traffic. The same does not 
happen with Security Groups. Security Groups apply all 
the rules before deciding whether to allow traffic or not, 
which means that if there is a rule which allows UDP 
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traffic on a certain port, and there is another rule which 
denies UDP traffic on the same port, the traffic will be 
denied. 


Now that the difference between Network Access 
Control Lists and Security Groups are clearer, we can 
move on. 


We will be creating three security groups: one for a Redis 
cluster, one for an Elastic Load Balancer, and one for the 
sever. Go to the EC2 dashboard and click on Security 
Groups on the left panel. Create three security groups 
according to the images below (each security group will 
have two images - one showing the inbound rules and 
another showing the outbound rules): 


Pvewate Gas ta. Coerw wr 
wits SOcUTTy UWrDUuD 


Oo o oO 


" 
_ 


Create Securtty Grow 


. " 
bene fy yw _—2 


Create Security Grown . Lreate Securty Group 


Next, we will create a Redis cluster. 


Compliance achieved: requirements 1.1.4a, 1.1.7a, 
1.1.7b, 1.2.1a, 1.3.4, 1.3.5 


Security Groups help our infrastructure to comply with 
quite a lot of requirements. Let’s discuss one by one. 


Is a firewall required and implemented at each 
Internet connection and between any demilitarized 
zone (DMZ) and the internal network zone?(1.1.4a) 


Our infrastructure complies with requirement 1.1.4a 
because we have security groups for the Load Balancer 
and Bastion host (which sit on the DMZ) and a security 

Create Security Group ) group for the guestbook instance - allowing only certain 
traffic from the DMZ. 


Are firewall and router rule sets reviewed at least 
every six months? (1.1.7b) 


. Do firewall and router configuration standards require 
review of firewall and router rule sets at least every 
six months? (1.1.7a) 


As long as you write a policy document saying that you 
are reviewing the security groups rules every six month, 
— you will comply with both of these requirements. 
Vregié Security Grour 
Is inbound and outbound traffic restricted to that 
which is necessary for the cardholder data 
environment? (1.2.1a) 
ee Restor 5 Securty Group © 
Our security groups only allow necessary traffic into our 
VPC. For instance, only our IP address is allowed when 
connecting to the bastion host. 
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+, 
_— 


*) 


. 


a sa Is outbound traffic from the cardholder data 


environment to the Internet explicitly authorized? 
(1.3.4) 
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For each infrastructure component (Redis, load balancer, 
bastion etc) there is a security group which explicitly 
authorizes outbound traffic. 


Are only established connections permitted into the 
network? (1.3.5) 


Examine firewall and router configurations to verify 
that the firewall performs stateful inspection 
(dynamic packet filtering). 


As previously explained, Security Groups are stateful 


(http://docs.aws.amazon.com/AmazonVPC/latest/UserG 
uide/VPC_SecurityGroups.html). 


ElastiCache (Redis) Cluster 


Like NAT Gateways, AWS also offers a service for Redis, 
called ElastiCache. ElastiCache can also be used to 
deploy Memcached clusters. But for this article we will 
use Redis. 


Go to the ElastiCache dashboard, click on Redis on the 
left panel and hit Create: 


Name your cluster redis-guestbook. You do not need to 
change Engine version compatibility, Port or 
Parameter group. Now, in regards to the Node type, if 
this was an application which needed a powerful redis 
cluster, you would probably go for a R3 node type and at 
the very least, 1 replica. But since we are building this 
network for learning purposes, we will stick to the 
cheapest node type (t2.micro) and no replica. 
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After you finish filling in all these fields, click on 
Advanced Redis settings. Unselect Multi-AZ with 
Auto-Failover and create a new subnet group if you 
haven't created one yet: 


Name your subnet group sng-redis-guestbook and add a 
description. Then, select your VPC and its three private 
subnets. Down below, in Security groups, choose the 
seg-us-east-1-elc:guestbook security group that we have 
just created. 


The rest of the configuration you can leave it as is. 
Finally, click on Create. 


Before we move on to create the guestbook application’s 
server, we need to configure one more thing. Since each 
one of us will have a different Redis cluster URLs, we 
need to agree on the same URL so we don’t have to 
modify the guestbook application. In fact, this is one of 
the best approaches when it comes to deploying 
applications to different environments and using different 
URLs for each environment. We are going to create a 
private Hosted Zone. 


Go to the Route53 Management Console, and click on change it, prior to actually making the change, lower the 


Hosted zones. Then, click on Create Hosted Zone. TTL so the DNS servers refresh their cache as soon as 
Type in guestbook. internal for the Domain Name and possible. For instance, if you have a record which has 
select the Type Private Hosted Zone for Amazon VPC. TTL of 86400 seconds (24 hours), change this TTL to 
The console will ask you for a VPC, so select your VPC. something like 600 seconds at least 24 hours before you 
Although optional, you can type in a description of this change the record because this will make your old record 


to be cached for only 10 min on the DNS servers and 
your new record will be spread faster. Now that you know 
what TTL means, leave it as 300 seconds. Click on 
Create: 


private hosted zone in the Comment field (e.g. “Private 
Hosted Zone for the Guestbook application”). Then click 
on Create: 


Create Hosted Zone 
Create Record Set 


to route trafic for a Gomain. such as examole.com. and its Name: 


iwria 
Type: 
Domain Name: 
Alias: Yes ONo 
Comment ten P th ‘d 
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Value: 
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More 


After the hosted zone is created, we will create a Record 
Set. The Name of this Record Set will be 
redis.guestbook.internal. As for the Type, choose 
CNAME - Canonical name. Then, open another tab, go 
to the ElastiCache dashboard and copy your Redis 
cluster URL (by clicking on the cluster name and copying 
the Node’s URL). Paste this URL in the Value field. 
Above the Value field, you will see something called TTL 
- Time To Live. The TTL defines how long your DNS 


Remember in the beginning when you created the VPC 
and then set Edit DNS Hostnames to Yes? If this option 
is set to No, private DNS records will not be resolved 
inside the VPC. By setting it to Yes you are telling 
Amazon that you want private DNS records to be 
resolved inside your VPC. 


record will be cached by DNS servers around the world. Compliance Achieved: requirement 1.3.6 

Suppose you set the TTL to 5 minutes. This means that if 

you change the DNS record, the DNS servers around the Are system components that store cardholder data 
world would show the old value for up to 5 minutes - (such as a database) placed in an internal network 
after the time expires, naturally, the DNS servers will 


— } zone, segregated from the DMZ and other untrusted 
refresh the record. It’s also worth mentioning that if you networks? (1.3.6) 


have a high TTL for a certain DNS record and you wish to 
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Although we are not using Redis to store any cardholder 
data, we’d still be complying with this requirement as 
Redis has been deployed to an internal network zone - 
segregated from the DMZ. 


Guestbook Application (EC2) 


We will now deploy the guestbook application. Go to the 
EC2 dashboard and click on Launch Instance. Select 
the Ubuntu Server 16.04 LTS (HVM), SSD Volume Type 
AMI. Then, select t2.micro as Instance Type. Next, on the 
Configure Instance Details page, select your VPC and 
select any of the private subnets (any availability zone 
will do because all of the subnets are configured to send 
traffic to the NAT instance). You do not need to change 
any of the remaining fields. Click on Next: Add Storage, 
leave the size of the disk as is (8 GB) and hit Next: Add 
Tags. For the Name tag, type in production - Guestbook 
and hit Next: Configure Security Group. On the 
Security Group page, click on Select an existing 
security group, select seg-us-east-1-/;qguestbook and 
click on Review and Launch. Quickly review your 
Instance Launch details and hit Launch. When asked for 
an SSH key, select any SSH key that you may already 
have created, or create a new one. 


At this moment you will not be able to connect to this 
EC2 instance because it was deployed to a private 
subnet. So what we need to do is to launch a Bastion 
host on the Demilitarized Zone (DMZ) - a.k.a public 
subnet. 


Bastion Host 


A bastion host is an instance that sits on the public 
subnet and is the gateway through which one can 
connect to instances on the private subnet. 


Launch another EC2 instance like we just did, but 
change some of the configuration: 


- Choose t2.nano for the instance size 

¢ Choose a public subnet this time 

- Use production - Bastion as the Name tag 

¢ Select the seg-us-east-1-/:bastion security group 


After you launch the bastion host, you will notice that 
there’s no public IP address assigned to it. That’s 
because when you create your own VPC, the default 
behaviour is that instance will not be assigned a public IP 
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address. To fix that, click on Elastic IPs on the left panel 
of the EC2 dashboard, then click on Allocate New 
Address. AWS has changed the interface to create 
Elastic IPs over the years, but if they give the option to 
create an Elastic IP and assign it to the bastion host, do 
so. Otherwise, just allocate a new IP address, then select 
it, click on Actions, click on Associate Address, 
associate it with the Bastion host and you’re good to go! 
Also, it’s worth mentioning that the Elastic IP’s scope 
needs to be VPC. 


Now that we have a bastion host and the guestbook 
application instance, it’s time to connect to the latter. 
Instead of SSH into the bastion, and then SSH into the 
guestbook instance, we'll do something different. Add 
the following snippet of code to your SSH config file 
(usually located at ~/.ssh/config - if you don’t have this 
file, create one): 


Os G yelS ica 

LOSE INeliMie: yy Oulie— Isl eve ao gla Ievee miei ee 

User ubuntu 

RdeneicyPale —path—eo-your—privare— 
key> 

ForwardAgent yes 
Host guestbook 
HostName <your-guestbook-instance- 
PElvare—-LeP- 

User ubuntu 

heehee yA i= “path eo Ol Ou lvate— 
key> 

EP reve CCulmeiacl SS So) Silt alas ajo loa Sic Loi 


Before saving your SSH config file, add the missing 
information as described in angle brackets. After that, 
you only need to do: 


$ ssh guestboook 


Piece of cake, right? 


lf you cannot connect to the guestbook instance, make 
sure you have the following in place: 


« Each public subnet has a route table associated with it 
where the destination 0.0.0.0/0 has the Internet 
Gateway as Target 


¢« Each private subnet has a route table associated with 
it where the destination 0.0.0.0/0 has the NAT 
instance’s ID as Target 


¢« The NAT instance has an Elastic IP associated with it After the script finishes running, your guestbook 


(and if you launched your own instance you have application will already be running! To confirm that is the 
disabled Source/Destination Check) case, type in the following command: 

- The bastion host allows inbound TCP traffic on port 22 $ curl localhost:3000/health 
from your IP address, and allows outbound TCP traffic Ok 


to any destination and any port 
When you make a curl request to the hea/th endpoint, the 


- The bastion host has been assigned a public Elastic IP guestbook application should reply “Ok” and the status 
address code of the HTTP request will be 200. 
- The guestbook instance allows inbound TCP traffic on Also, we need to double-check that our application is 
port 22 from the bastion’s security group able to communicate with Redis. Type in the following 
command: 


Deploying the Guestbook application 


S  euicl Loca lao 4210007 1iaice 


It is finally time to deploy our application. Log in to the 
guestbook EC2 instance and type in the following 


The command above will output some information about 
command: 


your Redis cluster. If you didn’t receive any errors and the 
HTTP status of the request above is 200, then you are 
good to go! 


S Calis CloaSs Imciwes 2 / /ciiclils com, css cwlas / 
guestbook 


Elastic Load Balancer (ELB) 


If git is not installed, use the following commands to 


install it. We will now create an Elastic Load Balancer to forward 
traffic to our server. On the EC2 dashboard, click on 


2 SUCIC BIO eScicne ulSCleicS Ss Ss bicloy ese oie Load Balancers, then click on Create Load Balancer. 
SLMS Ee E Ys GIL You will have two options: Application Load Balancer and 
Classic Load Balancer. Choose the Classic Load 
Balancer. Now, name your Load Balancer 


After cloning the guestbook repository, cd into it and list 


the files. You will see that there's a file called setup. This elb-prod-guestbook, select the Guestbook’s VPC and 
file is a bash script which installs the entire Golang create two listeners for your load balancer (see Figure 
environment and a tool called supervisor (we will use 10). 
supervisor to keep our Go application running in the 
background). Just run the setup script and the Notice that we are allowing traffic on port 80. The idea 
guestbook application will be running in a few seconds: would be that all traffic that comes on port 80 is 
redirected to port 443 so your website enforces traffic 
> «/SScUp over HTTPS. In this article, we will not do that, but that 
Basic Configuration 
Loecd Ualencer merne 
Creste LS inekie 
Create an internal load balancer 
Load Balancer Protocol Load Balancer Port inatance Protocol instance Port 
Q 
o 


Add 


Figure 10. Name your Load Balancer e/b-prod-guestbook, select the Guestbook’s VPC and create two listeners for your load 
balancer 
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would be as simple as modifying the guestbook 
application to redirect the traffic permanently (HTTP 
status code 301) to the HI TPS address. 


After setting up the listeners, it is time to select the 
subnets. Since our application will be accessed by 
anyone, we will select the public subnets to deploy our 
Load Balancer to (select all subnets with snpu prefix) (See 
Figure 11). 


Click on Next: Assign Security Groups to proceed. 
When asked to select a security group, select the 
security group with name seg-us-east- 1-elb:guestbook 
and hit Next: Configure Security Settings. On this 
page, there are currently three ways to set up an SSL 
certificate on the Load Balancer: 


« Choose an existing certificate from AWS Certificate 
Manager (ACM) 


¢« Choose an existing certificate from AWS Identity and 
Access Management (IAM) 


¢« Upload a new SSL certificate to AWS Identity and 
Access Management (IAM) 


Available subnets 


Actions Availability Zone Subnet ID 
Selected subnets 
Actions Availability Zone Submet iD 


step 3: Configure Security 


‘ir 
JJ 
we 
» L/ 
+”? 
Oe 
; 
= 
| 
sn 
** 


Select Certificate 


Certificate 


Figure 12. The ACM option 
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| chose to get a certificate from AWS Certificate Manager 
because it is free and you don’t have to leave the AWS 
platform to deal with it, - which is very convenient. 
However, if you prefer to get a certificate from GoDaddy 
or any other Trusted Certificate Authority, you will see to 
manually upload the certificate to AWS. 


lf you have never requested a certificate on AWS before, 
check this quick tutorial: 


http://docs.aws.amazon.com/acm/latest/userguide/gs-ac 
m-request.html 


| will use a Subdomain to point at the guestbook 
application, and since | own the domain renandias.guru, 
| requested a certificate for *.renandias.guru. If you 
select the ACM option, you can choose your certificate 
from the drop-down list (See Figure 12). 


Next is one of the most crucial configurations: the ELB 
Security Policy. An ELB Security Policy contains SSL 
Protocols, Options and Ciphers to be used by the ELB. If 
you do not configure the policy correctly, you will have a 
lot of vulnerabilities in your infrastructure. So let’s do it 
carefully! 


Let’s start with the SSL/TLS protocols. SSLv3 or earlier 
and TLS1.0 contain serious exploits such as POODLE 


Subnet CIOR Name 


Subnet CiIOR Name 


and Heartbleed. For that reason, the PCI SSC (Payment 
Card Industry Security Standards Council) is requesting 
that systems using SSLv83 or earlier or TLS1.0 should use 
a secure version of TLS: TLS1.1 or higher. You can read 
more about this here: 


https://blog.pcisecuritystandards.org/migrating-from-ssl- 
and-early-tls 


Back to the AWS console, select Custom Security 
Policy, and make sure Protocol-TLSv1 is not selected. 
Although TLSv1.1 is more secure than TLSv1, TLSv1.1 is 
starting to be flagged as a vulnerability when running 
vulnerability scanners against your infrastructure. For this 
reason, unselect Protocol-TLSv1.1 and leave only 
Protocol-TLSv1.2 selected: 


SSL Protocols 


Then, make sure that the Server Order Preference 
option is selected. Here is AWS’ explanation about this 
option: 


“During the SSL connection negotiation process, the client and the 
load balancer present a list of ciphers and protocols that they each 
support, in order of preference. By default, the first cipher on the 
client's list that matches any one of the load balancer's ciphers is 
selected for the SSL connection. If the load balancer is configured to 
support Server Order Preference, then the load balancer selects the 
first cipher in its list that is in the client's list of ciphers. This ensures 
that the load balancer determines which cipher is used for SSL 
connection. If you do not enable Server Order Preference, the order 
of ciphers presented by the client is used to negotiate connections 
between the client and the load balancer.” 


Since we are not sure about which SSL Ciphers the client 
will offer, the best and safest way is to make sure the 
ELB will choose the Cipher. 


Next, select the following SSL Ciphers: 
ECDHE-ECDSA-AES128-GCM-SHA256 
ECDHE-RSA-AES128-GCM-SHA256 
ECDHE-ECDSA-AES128-SHA256 
ECDHE-RSA-AES128-SHA256 
ECDHE-ECDSA-AES128-SHA 


ECDHE-RSA-AES128-SHA 
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ECDHE-ECDSA-AES256-GCM-SHA384 
ECDHE-RSA-AES256-GCM-SHA384 
ECDHE-ECDSA-AES256-SHA384 
ECDHE-RSA-AES256-SHA384 
ECDHE-RSA-AES256-SHA 
ECDHE-ECDSA-AES256-SHA 
AES128-GCM-SHA256 
AES128-SHA256 

AES128-SHA 
AES256-GCM-SHA384 
AES256-SHA256 


AES256-SHA 


You will notice that we will not use the 
DHE-RSA-AES128-SHA cipher. The reason why is 
because this cipher contains a vulnerability called 
SWEET82 (Birthday attacks on 64-bit block ciphers). 
Read more about SWEET32 here: https://sweet32.info/ 


After you are done, click on Next: Configure Health 
Check. For the health check, we will use the /health 
endpoint: 


step 4: Configure Health Check 


Your load balancer will automatically perform health checks on your t 


removed from the load balancer. Customize the health check to meet 


Ping Protocol MTTP 
Ping Port JOU 


Ping Path health 


Advanced Details 
Response Timeout 5 seconds 
interval 30 seconds 
Unhealthy threshold 2 . 


Healthy threshold — | 2 . 


Click on Next: Add EC2 Instances. Now, find your 
guestbook instance and select it. Then, skip the step of 
adding tags and create the Elastic Load Balancer. After a 
minute, the Load Balancer will have a healthy instance 
and will start forwarding traffic to it (See Figure 13). 


Hold on, we are nearly there! The very last step will be to 
create a DNS record to our application. Go to Route53 
and click on the hosted zone in which you’d like to create 
the DNS record. 


Create Record Set 
Name: questbook 


Type: A —lPv4é address 


** 


Alias: © Yes No 


Alias Target: dualstack.elb-prod-questbook-185877! 
Alias Hosted Zone ID: Z355SADOTRO/X/K 


You can also type The Gomain name for the resource. Exarnples 

- Choudr rom Getribuson domain name ¢d141111 laboccels. cloud Ton _net 

- Elastic Deanstak environment CNAME: example. elasticbeansialk._ com 

- ELS load balancer UNS name: example-|.us-cast-1 .elb.amazonaws.com 

- S3 webste endpoint: example.s+-website-us-cast- 1 amazonaws.com 
Hesource record set in thes hosted zone: www. example.com 


Learn More 


Routing Policy: Simole 


“=> 


Route 53 responds to quenes based only on the values in thes record. Learn 


More 


Evaluate Target Health: 


Yes QNo 


Create a DNS record such as 
guestbook.yourdomain.com. Then, select A - IPv4 


Filter: 


wo Name ONS name State 


B@ =e. alib-prod-questbook elb-prod-gquestbook- 1858778 


Load balancer: ! elb-prod-questbook 


address as Type. Now click on Alias Yes and paste the 
ELB’s DNS name. 


Type in on your browser the URL you have chosen for the 
guestbook application (remember to type in HTTPS 
before the URL): 


Voila! You have now created a quite complex AWS 
infrastructure which follows some of the PCI DSS 
security standards! 


But... wait! There are a few more requirements that we 
have just complied with. 


Compliance achieved: requirement 2.2.1a, 4.1e, A2.2 


Is only one primary function implemented per server, 
to prevent functions that require different security 
levels from co-existing on the same server? (2.2.1a) 


All the servers in our infrastructure implement only one 
primary function: 


VPC ID 


vpc-tabSfe7c 


Description instances Health Check Listeners Monitoring Tags 

Connection Draining: Enabled, 300 seconds (Ec) 
Edit Instances 
instance ID Name Availability Zone Status 
-OS3c4c205edbe504d production - Guestbook us-aast-la InService | j 


Figure 13. The Load Balancer will have a healthy instance and will start forwarding traffic to it 


The Elastic Load Balancer only forwards traffic to the 
guestbook instance; 


The Guestbook instance only serves the guestbook 
application; 


The Bastion host is only used as a gateway for us to SSH 
into the guestbook instance; 


The ElastiCache cluster is only running Redis; 
And Amazon Route53’s main purpose is around DNS 


For TLS implementations, is TLS enabled whenever 
cardholder data is transmitted or received? (4.1e) 


We are currently not transmitting or receiving any 
cardholder data, but because we have set up TLS on the 
Load Balancer, it would be really easy to comply with this 
requirement, right? 


Is there a formal Risk Mitigation and Migration Plan in 
place for all implementations that use SSL and/or 
early TLS (other than as allowed in A2.1), that 
includes:(A2.2) 


Our Elastic Load Balancer does not use SSL or early 
versions of TLS, which means that we do comply with 
this requirement. If your infrastructure were being 
assessed, you would indicate that this requirement is not 
applicable. 


Other easily achievable requirements 


Are the following audit trail entries recorded for all 
system components for each event: 


User identification? (10.3.1) 

Type of event? (10.3.2) 

Date and time? (10.3.3) 

Success or failure indication? (10.3.4) 
Origination of event? (10.3.5) 


Identity or name of affected data, system component, 
or resource? (10.3.6) 


To keep track of what is happening on your system and 
comply with the requirements above, you can use the 


Auditd tool: httos://linux.die.net/man/8/auditd 
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Are audit logs retained for at least one year?(10.7b) 


To comply with requirement 10.76, you would need to 
backup the log files generated by Auditd. You could, for 
instance, send them to S3 and store them for at least a 
year. 


Are at least the last three months’ logs immediately 
available for analysis? (10.7c) 


Since PCI DSS requires that at least the last three 
months of logs are immediately available, you could send 
the log files to a standard S3 bucket. Then, you would 
create an S3 Lifecycle rule where these log files would be 
sent to either an infrequent access bucket or to Glacier - 
to save you some money. 


Are configuration standards developed for all system 
components and are they consistent with 
industry-accepted system hardening standards? 
(2.2a) 


Sources of industry-accepted system hardening 
standards may include, but are not limited to, 
SysAdmin Audit Network Security (SANS) Institute, 
National Institute of Standards Technology (NIST), 
International Organization for Standardization (ISO), 
and Center for Internet Security (CIS). 


To comply with this requirement, you will need to 
configure your system according to at least one of these 
institutions. To give you an example, you can get 
Benchmarks documents from Center for Internet Security 


(CIS) on this link: https://learn.cisecurity.org/benchmarks 


You only need to fill in the form and you will have access 
to tens of Benchmarks. You will find Benchmarks of 
desktops and web browsers (e.g. Apple OS X, Google 
Chrome, Internet Explorer, Firefox, Opera etc), mobile 
devices (e.g. iOS and Android), network devices (e.g. 
Cisco Firewall, Cisco IOS, Juniper JunOS), operating 
systems (e.g. Amazon Linux, CentOS, Ubuntu, Oracle 
Linux, Windows Server), web servers and databases 
(e.g. Apache Tomcat, Microsoft IIS, MySQL, MongoDB, 
Oracle Database server, SQL Server), virtualization 
platforms and cloud (Docker, VMware, Xen, Amazon 
Web Services) and Microsoft office suite. 


Conclusion 


As | mentioned before, PCI is bigger than just a couple of 
security standards. But | hope that this article gave you 
the feeling of how your infrastructure should be 
configured to be PCI compliant. If you wish to know 
more about PCI compliance on AWS, take a look at this 
very detailed guide: 


https://d0.awsstatic.com/whitepapers/compliance/AWS 
Anitian_Workbook_PCl_Cloud_Compliance.pdf 


Whether or not you are trying to get an Attestation of PCI 
Compliance from a Qualified Security Assessor (QSA), 
the tips on this articles will definitely get you started 
towards building a very secure infrastructure. 
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BSD Certification 


The BSD Certification Group Inc. 
(BSDCG) is a non-profit organization 
committed to creating and 
maintaining a global certification 
standard for system administration 
on BSD based operating systems. 


@ WHAT CERTIFICATIONS ARE AVAILABLE? 


BSDA: Entry-level certification suited for candidates 
with a general Unix background and at least six months of 
experience with BSD systems. 


BSDP: Advanced certification for senior system administrators 
with at least three years of experience on BSD systems. 
Successful BSDP candidates are able to demonstrate 

strong to expert skills in BSD Unix system administration. 


© WHERE CAN I GET CERTIFIED? 


We're pleased to announce that after 7 months of 
negotiations and the work required to make the exam 
available in a computer based format, that the BSDA 
exam is now available at several hundred testing centers 
around the world. Paper based BSDA exams cost $75 USD. 
Computer based BSDA exams cost $150 USD. The price of 
the BSDP exams are yet to be determined. 


Payments are made through our registration website: 
https://register.bsdcertification.org//register/payment 


@ WHERE CAN I GET MORE INFORMATION? 


More information and links to our mailing lists, LinkedIn 
groups, and Facebook group are available at our website: 
http://www.bsdcertification.org 


Registration for upcoming exam events is available at our 
registration website: 
https://register.bsdcertification.org//register/get-a-bsdcq-id 


SECURITY 


AWS Infrastructure Security: Deep Dive 
into Access Control Management 


You WLLL Learn ... 


- How to think through the security of your AWS infrastructure. 


- Some tools that AWS provides to improve the planning of Access Control. 


You should be fa muLLar with ... 
‘ Security-related topics. 
© AWS services. 


- Access Control Management. 


Introduction 


A recent report indicates that the cloud market was 
valued at $148 billion in 2016 with expected annual 
growth rate at 25%. Statistics, provided by RightScale, 
show that 31% of enterprises are running more than 
1000 VMs in private cloud and 17% of enterprises are 
having more than 1000 VMs in public cloud. Given such 
massively sophisticated infrastructures, it’s crucial to 
design your cloud infrastructure efficiently. In the 
meantime, Amazon continues to dominate the cloud 
market with almost one-third of the market share. So, we 
will be focusing on the infrastructure of Amazon Web 
Services (AWS). 


There are some tools that can be exploited to help 
designing efficient scalable AWS infrastructure. This 
article aims to discuss various considerations with 
access control management in AWS infrastructure. The 
weakest link in an enterprise is the people who 
administer and exploit the resources. Thus, it’s important 
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to learn the best practices in securing such 
activities/information from hacker hands and allow for the 
scalability of organization infrastructure. 


Main Body 


Let’s start with discussing authentication. Authentication 
is a key corner in access control management. It is 
required by most credible security and compliance 
standards such as NIST, ISO and HIPPA. In AWS, the 
access is granted based on least privileges and this 
access is audited via SOC-2 audit on 24/7 basis. While 
planning for AWS authentication, it’s critical to consider 
user-based and group-based security policies. AWS 
opens the doors for managed, inline or custom policies 
written in JSON format (Details of security policies are 
beyond the scope of this article). For such users and 
groups, it’s always recommended to have 
password-policy that defines the criteria of strong 
passwords that should be used. Also, make sure to think 
through authorization levels from user, group and 


resource perspectives while developing the security 
policies. 


AWS supports six different authentication options. These 
options can be bundled or used individually: 


Email Address and Password: this is the root-user 
account for the person who first creates the AWS 
account for the organization. 


Multi-Factor Authentication (MFA): AWS supports MFA 
in which you will get a code on your registered phone 
number, for example, to confirm your identity. 


Access Keys: can be used to provide third-party access 
or implement oauth-2 like mechanisms. This is important 
for automating processes. Please note that AWS limits 
the number of access keys to two. 


Key Pairs: AWS supports public-key cryptography which 
allow for multiple users to have similar credentials. You 
can have maximum of two key-pairs. AWS supports 
CloudFront Key pairs and X.509 certificates. (X.509 
certificates are digital certificates that use the X.509 
public key infrastructure standard to associate a public 
key with an identity contained in a certificate). 


IAM Usernames: Root user creates different user 
accounts for the users in the organization who are 
Supposed to use different AWS services. These users will 
have controlled-customized access to resources. 


Figure 1.0 shows a screenshot of “Security 
Credentials” page from Console login to AWS. Blue 
arrows refer to the different authentication options that 
can be configured. Although AWS provides console login 
for users, you should be wise in making the proper 
decision in selecting the authentication mechanism. For 
example, key pairs might be suitable to provide access 
to multiple users with similar credentials. 


However, if access keys were poorly designed, you might 
end up with unauthorized users consuming the 
organization’s AWS services once they get access to 
these keys. In AWS, user and authentication related 
items are managed through Identity and Access 
Management (IAM). If you are not familiar with IAM, think 
about active directory in an organization. IAM is an 
improved version of active directory to manage users, 
groups, roles, policies and various account settings in 
AWS. 


That is all about user accounts but what about the 
root-level account?! Amazon refers to the first AWS 
account that gets created for the organization on AWS as 
“Root Account”. This account has full access to all 
account resources; it can’t be disabled and it can’t be 
controlled via IAM. Please remember that this account 
should NOT be used for daily operation. Login 
information for the root account should be stored in an 
encrypted format in a “safe” place. This place should 
have MFA mechanism applied to it. AWS supports 
Google Authenticator for virtual devices and Gemalto for 
hardware devices. 


a . 


Your security Credentials 


> ; . 


+ ) a 
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Figure 1.0 Authentication Options in AWS 


Dashboard 


Figure 2.0 IAM Dashboard Page for Root Level Account 


Due to the cost of maintaining stored login-information account dashboard. Ideally, the security status on the 

for the root-level account, some experts recommend that dashboard should show 5/5 completed activities. Figure 

you don’t have to store this login information!!! SMEs 2.0 shows the dashboard of IAM for a Root-level 

suggest that you can create an IAM role with full admin account. Please note that you may not need MFA 

privileges and change the root account password to mechanism if you are going to change the account 

something you won’t remember (e.g. random string). password to a random string. 

Once you change the password, don’t save the new 

password and use a forget-password link to gain access Once the root account is properly configured, you should 

to the root account if needed. start thinking about creating user accounts. Generally, it’s 
recommended to have an account for each environment 

Typically, you should NOT use the root account unless for your applications (e.g. development, test and 

you need to change the root account info, change billing production). Furthermore, you may need additional 

info, buying new AWS items, testing AWS’ public IP accounts for more granular security or specific needs (No 

address, or close AWS account. Moreover, there are worries, you can enable cross account access to use 

various security-related activities that can be done on the resources shared by other accounts). Keep in mind that 

root account. These activities are monitored via the the more accounts you have, the better granularity of 


set Role Name 


Role Name 


Figure 3.0 IAM Create Role Page 
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user account security but also the higher complexity user 
management becomes. If you encounter unexpected 
high bills, you can enable consolidated billings on your 
accounts to monitor the billing activity of each account 
separately. 


One way to think about designing multiple user accounts 
is to consider these accounts from governance 
perspective in which you have trusting account (provider) 
and a trusted account (consumer). Trusting accounts 
should have higher privileges to support the creation of 
Virtual Private Clouds (VPCs), Network Access Control 
Lists (NACLS), Subnets, consumer accounts, IAM, 
managed services, Virtual Private Networks, security 
groups and EC2 instances. 


On the other hand, the trusted account will only focus on 
the resources that can be consumed (e.g. EC2 
Resources, database resources (RDS) or Elastic Boxes). 


AWS makes it easy for you to apply the 
provider/consumer concept by providing the ability to 
create Roles, Groups and Users through IAM. During the 
creation of the new role, you will have the option to 
define the security policy(ies) that can control this role. 
Similarly, groups and users can be configured. Figure 3.0 
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Security 


Policies 


(Managed, Inline or 


Custom} 


Resource 


shows the five steps that are needed to create a new 
customized role. 


There are various approaches to access resources 
supported by AWS. These approaches can be 
categorized into administrative (AWS management 
console and Command Line Interface), APIs and 
Managed Services. Details on these items are beyond 
the scope of this article but it’s important to note that 
these tools do not monitor all resource access control 
metadata. 


Information related to Relational Database Server logon 
or EC2 instance logon is not captured. Such information 
can be monitored via OS-based monitoring or logging. 


While creating roles, users and groups, think about your 
password management strategy. Password management 
is a vital element of secure infrastructure. You will need to 
consider aspects like minimum password length, 
password reuse, complexity rules, password expiration 
and expiration procedure. 


AWS supports the use of various tools to collect 
statistics on password metadata. These tools include 
IAM console, AWS CloudtTrail, Credential Report, Access 
Advisor, Simple Notification Service (SNS) and 


Figure 4.0 Best Practices in Designing AWS IAM Accounts for Organization 


CloudWatch (Details on these tools are beyond the 
scope of this article). The rule of thumb is that if you are 
at the console, you need a password. If you are 
consuming an API or using CLI, you need access keys. 


Figure 4.0 summarizes best practices needed to be 
considered for designing scalable IAM accounts. Please 
notice the density of rows originated from Roles and 
Groups. It’s expected that policies are applied at a more 
generic level so they can be easily maintained. 


Users are not expected to have special permissions 
except in extreme scenarios where one user has ultimate 
special needs that are not shared by other users. 


Conclusion 


Finally, we can summarize the best practices that we’ve 
discussed in this article in the following bullet points: 


Individual Users: 

¢ Always start by granting least-privileges. 

« Enable Credential Rotation per user. 

« Use unique Credentials for each User. 
Permissions: 

- Manage Permissions through Roles and Groups. 
Conditional Access: 


¢ Restrict Database creation to be limited to 
specific engine. 


- Restrict access from specific IP address/range. 
Auditing: 
¢ Enable CloudtTrail to log API calls activities. 


« Log calls to S3 bucket associated with your 
account. 


Strong Password: 

- Use password tools. 

- Consider Password Strength Metrics. 
Credential Rotations: 


- Rotate your passwords on fixed schedule. 
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- Use Credential Report to identify credentials 
should be rotated. 


¢ Note that EC2 instances rotate credentials for 
IAM roles by default. 


MFA: 
¢ Enable MFA for all users. 
Sharing: 


- Use IAM roles to share access. (Use IAM roles for 
EC2 instances). 


Sources of Provided Statistics 


http://www.rightscale.com/blog/cloud-industry-insights/c 
loud-computing-trends-2016-state-cloud-survey 


http://www. waterfordtechnologies.com/cloud-computing 
-stats-2017/ 


https://www.forbes.com/sites/benkepes/2015/05/22/how 
-are-organizations-using-amazons-cloud/#4ee7011c3e29 
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Conventions over Restrictions - Programming the 
Python Way 


Python is a powerful programming language. It supports procedural and object-oriented 
programming, and provides important features for functional programming. Its dynamic typing 
and many meta-programming features allow doing nearly everything at run time. While this 
freedom provides lots of opportunities for elegant solutions, Python might also be perceived as 
a dangerously unrestricted language. The common solution is to use conventions to solve a 
problem in the preferred, hence, “pythonic” way. Experienced Python programmers tend to 
stick to these conventions as much as possible and only diverge when the benefits are 
substantial compared to that of the conventional solution. 

This article gives a short overview of Python features focusing on conventions and their 
benefits. Since Python syntax is often called executable pseudo code, a reader with solid 
programming experience does not need to have previous knowledge of Python to follow 


along. 
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SECURITY 


Password Cracking in UNIX 


Passwords are used for performing authentication. The 
system can be authenticated using different ways like 
something which a user knows (passwords), something 
that the user has (identification token), or something 
which the user is (biometric). 


Out of the three things listed above, the password can 
be changed easily in case one finds that the same has 
been compromised. In this paper, we will talk about 
various password cracking tools available for cracking 
passwords in a UNIX environment. Password cracking 
can occur if the cracker gains access to the system 
through physical or remote access. The cracker could 
attempt to try each possible password combination. If 
the attacker gains access to hashes of the passwords, 
then it is possible to use software which utilizes Rainbow 
tables to crack passwords. 


Password Storage 


The file system in UNIX environment is secure with 
permissions at user/group/everyone level. Further, the 
password is stored in hash format. Whenever the user 
enters the password, the system converts the password 
in hash format and checks against the hash already 
stored in the password file. 


The password file in Unix-based system is located at 
/etc/passwd. This file is readable by any user but can be 
written only by superuser. This file contains one line per 
account in the system. Each entry in a password file has 
seven (7) fields. The first field specifies the account / 
username. The second field has the letter ‘x’ written. This 
was used earlier to store the hash. However, in a newer 
version of Unix, the hash is stored in a shadow file 
located at /etc/shadow which is readable by those 
having superuser privileges. 


Password Strength 
According to Wikipedia, password strength is a measure 


of the effectiveness of a password in resisting guessing 
and brute-force attacks. 
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In its usual form, it estimates how many trials an attacker 
would need, on average, to guess it correctly. The 
strength of a password is a function of length, complexity 
and unpredictability. 


Using strong passwords lowers the overall risk of a 
security breach, but strong passwords do not replace the 
need for other effective security controls. The 
effectiveness of a password of a given strength is 
strongly determined by the design and implementation of 
the factors (knowledge, ownership and inherence). 


The rate at which an attacker can submit guessed 
passwords to the system is a key factor in determining 
system security. Some systems impose a time-out of 
several seconds after a small number (e.g. three) of failed 
password entry attempts. In the absence of other 
vulnerabilities, such systems can be effectively secured 
with relatively simple passwords. 


Hashing 


Unix uses one-way hashing technique to store password. 


[root@ac ~]# cat /etc/shadow 
FOOL? SLSEUGZEXUAS TINT? /Omathk LlqarMong] 215 
O5L20%99999C° 722. 


The password stored in /etc/shadow file has 3 fields: 


18t Field: This is a numerical number which tells about the 
hashing algorithm being used. 


- $1 = MD5 hashing algorithm. 

- $2 = Blowfish Algorithm is in use. 
- $2a = eksblowfish Algorithm 

- $5 = SHA-256 Algorithm 

- $6 = SHA-512 Algorithm 

24 Field: This is the salt value. 


3 Field: The last field is the hash value of salt+user 
password. 


Attacks to Recover Password 


Brute Force Attack: As per Wikipedia, a brute-force 
attack consists of an attacker trying many passwords or 
passphrases with the hope of eventually guessing 
correctly. The attacker systematically checks all possible 
passwords and passphrases until the correct one is 
found. Alternatively, the attacker can attempt to guess 
the key which is typically created from the password 
using a key derivation function. This is known as an 
exhaustive key search. A brute-force attack is a 
cryptanalytic attack that can, in theory, be used in an 
attempt to decrypt any encrypted data (except for data 
encrypted in an information-theoretically secure manner). 
Such an attack might be used when it is not possible to 
take advantage of other weaknesses in an encryption 
system (if any exist) that would make the task easier. 


When password guessing, this method is very fast when 
used to check all short passwords, but for longer 
passwords, other methods such as the dictionary attack 
are used because a brute-force search takes too long. 
Longer passwords, passphrases, and keys have more 
possible values, making them exponentially more difficult 
to crack than shorter ones. Brute-force attacks can be 
made less effective by obfuscating the data to be 
encoded, making it more difficult for an attacker to 
recognize when the code has been cracked or by making 
the attacker do more work to test each guess. One of the 
measures of the strength of an encryption system is how 
long it would theoretically take an attacker to mount a 
successful brute-force attack against it. Brute-force 
attacks are an application of brute-force search, the 
general problem-solving technique of enumerating all 
candidates and checking each one. 


Dictionary Attack: As stated in Wikipedia, a dictionary 
attack is a technique for defeating a cipher or 
authentication mechanism by trying to determine its 
decryption key or passphrase by trying hundreds or 
sometimes millions of likely possibilities, such as words 
in a dictionary. 


Rainbow Tables: A rainbow table is a precomputed 
table for reversing cryptographic hash functions, usually 
for cracking password hashes. Tables are usually used in 
recovering a plaintext password up to a certain length, 
consisting of a limited set of characters. It is a practical 
example of space/time trade-off, using less computer 
processing time and more storage than a brute-force 
attack which calculates a hash on every attempt, but 
more processing time and less storage than a simple 
lookup table with one entry per hash. Use of a key 
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derivation function that employs salt makes this attack 
infeasible. Rainbow tables are an application of an earlier, 
simpler algorithm by Martin Hellman. 


Password Cracking tools for Unix 


« John the Ripper 


« John the Ripper is a fast password cracker, 
currently available for many flavors of Unix, 
Windows, DOS, and OpenVMS. Its primary 
purpose is to detect weak Unix passwords. 
Besides several crypt(3) password hash types 
most commonly found on various Unix systems, 
supported out of the box are Windows LM 
hashes, plus lots of other hashes and ciphers in 
the community-enhanced version. 


- It is free and Open-Source software, distributed 
primarily in a source code form. 


¢ THC Hydra 


« THC Hydra is a proof of concept code, to give 
researchers and security consultants the 
possibility to show how easy it would be to gain 
unauthorized access from remote to a system. 


¢ RainbowCrack 


¢« RainbowCrack is a general propose 
implementation of Philippe Oechslin's faster 
time-memory trade-off technique. It cracks 
hashes with rainbow tables. 


- It uses time-memory tradeoff algorithm to crack 
hashes. It differs from brute force hash crackers. 
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BAY VE 


Elastix on Bnyve 


What is Elastix? 


Elastix is a unified communications server software that 
brings together IP PBX, email, IM, faxing and 
collaboration functionality. It has a Web interface and 
includes capabilities such as a call center software with 
predictive dialling. 


The Elastix 2.5 functionality is based on open-source 
projects which includes Asterisk, FreePBX, HylaFAX, 
Openfire and Postfix. Those packages offer the PBX, fax, 
instant messaging and email functions, respectively. 


As for Elastix 5.0, its functionality is provided through 
3CX, a software based private branch exchange (PBX) 
built on the SIP (Session Initiation Protocol) standard. It 
enables extensions to make calls via the public switched 
telephone network (PSTN) or via Voice over Internet 
Protocol (VoIP) services. Elastix 5.0 is an IP business 
phone system that supports standard SIP soft/hard 
phones, VoIP services and traditional PSTN phone lines. 


Elastix 2.5 is free software released under the GNU 
General Public License whereas Elastix 5.0 is Proprietary 
released under the terms of the 3CX license. 


What is Bhyve? 


Bhyve (pronounced "bee hive", formerly written as 
BHyVe) is a type-2 hypervisor/virtual machine manager 
for FreeBSD that was introduced in FreeBSD 10.0, and 
supports most Intel and AMD processors that report the 
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"POPCNT" (POPulation Count) processor feature in 
dmesg(8). 


The Bhyve BSD-licensed hypervisor became part of the 
base system with FreeBSD 10.0-RELEASE. This 
hypervisor supports a number of guests, including 
FreeBSD, OpenBSD, and many Linux 

distributions. Virtualization offload features of newer 
CPUs are used to avoid the legacy methods of 
translating instructions and manually managing memory 
mappings. 


The Bhyve design requires a processor that supports 
Intel Extended Page Tables (EPT) or AMD Rapid 
Virtualization Indexing (RVI) or Nested Page Tables (NPT). 


Currently, Bhyve can run the following guests: FreeBSD 
9+, OpenBSD, NetBSD, Linux and MS Windows desktop 
(versions Vista, 7, 8/8.1/8.2 and 10), as well as MS 
Windows Server (versions 2008/2008R2, 2012/2012R2 
and 2016 Technical Preview 2 and 3). 


Lately, libvirt supports Bhyve as well. libvirt is an open 
source API, daemon and management tool for managing 
platform virtualization. This tool is used to manage KVM, 
Xen, VMware ESX, QEMU and other virtualization 
technologies. You can use virt-manager to manage 
Bhyve, but personally | prefer to utilize Bhyve from shell. 
Moreover, you can choose other FreeBSD packages 
which were created to make life easier — like CBSD and 
VM-Bhyve. 


Recently, Bhyve supports Unified Extensible Firmware 
Interface Graphics Output Protocol or "UEFI-GOP" 
which means that you can run any modern OS without 
pain. 


Bhyve Preparation and Elastix Installation 
Elastix requirements: 

« Minimum required RAM is 2 GB. 

¢ Minimum recommended virtual disk size of 30GB. 


Install FreeBSD 11.0: You can also install FreeBSD 11.0 
or any latest builds. 


Install Grub-emu loader for Bhyve: We must install 
the “grub2-bhyve” port. This process is very 
time-consuming and needs user-interaction. But with 
some tricks, we can do It very easily: 


# cd /usr/ports/sysutils/grub2-bhyve 
# make install clean -DBATCH 


-DBATCH force port building process to not 
prompt you for confirmation and do it automatically. 


Hypervisor, Network and Storage Preparation: 


# kldload vmm — this command will load 
Bhyve kernel module or driver. 


this 
command creates a new interface and brings it up. 


# ifconfig tapO create up — 


# ifconfig bridge0 create up — this 
command also creates a bridge and makes it up and 
ready. 


# ifconfig bridge0 addm em0O — this 
command adds emO(network interface) to bridgeO 


# ifconfig bridgeO addm tap0O — this 
command adds tap0 to bridgeO. 


# truncate -s 30G elastix.img -— this 
Command creates a file with 30GB size. 


Prepare Elastix ISO: 


#fetch 
https: //excellmedia.dl.sourceforge.net/pro 
ject/elastix/Elastix%20PBX%20Appliance%20S 
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oftware/2.5.0/latest/Elastix-2.5.0-STABLE- 
x86 64-bin-O8may2015.iso 


# mv 
Elastix-2.5.0-STABLE-x86 64-bin-O8may2015. 
1so elastix.1so 


Create a elastix.map that grub will use to map the virtual 
devices to the files on the host system: 


# touch elastix.map 


# echo "(hd0) /root/elastix.img" >> 


elastix.map 


# echo "(cd0) /root/elastix.iso" >> 


elastix.map 
Boot Elastix Virtual Machine: 


# grub-bhyve -m elastix.map -r cdO -M 
2048 elastix 


grub> linux 
(cd0) /isolinux/vmlinuz 


grub> initrd 
(cd0) /isolinux/initrd.img 


grub> boot 


#bhyve -A -H -P -s 0:0,hostbridge -s 
1:0,lpe -s 2:0,virtio-net,tap0O -s 
3:0,virtio-blk,elastix.img -s 
4:0,ahci-cd,elastix.iso -l coml,stdio -c 2 
-m 2048M elastix 


this command makes a virtual machine(elastix) with 2 
cores CPU and 2G of ram. 


-H Yield the virtual CPU thread when a HLT instruction is 
detected. If this option is not specified,virtual CPUs will 
use 100% of a host CPU. 


-A Generate ACPI tables that required foramd64 guests. 


-P Force the guest virtual CPU to exit when a PAUSE 
instruction is detected. 


other parameter’s define CDROM and HDD. 


Elastix installation: You can install Elastix with the GUI 
wizard. 


Elastix First Boot 


After the installation of Elastix, the system will request a 
reboot. This reboot causes Bhyve to exit. 


Issue these commands to boot Elastix again: 
#bhyvectl --destroy -vm=elastix 


#grub-bhyve -m elastix.map -r hd0,msdosl 
-M 2048M elastix 


linux 

(hdO ,msdos1) /vmlinuz-2.6.18-371.1.2.e 
15 
root=/dev/mapper/VolGroup00-LogVol100 


initrd 
(hd0O ,msdos1) /initrd-2.6.18-371.1.2.el1 
5.1img 


boot 
#bhyve -A -H -P -s 0:0,hostbridge -s 
1:0,lpe -s 2:0,virtio-net,tap0O -s 


3:0,virtio-blk,elastix.img -1 coml1,stdio 
-c 2 -m 2048M elastix 


Secret Sauce 


As you can see, Elastix will boot and welcome will show 
us the IP address of Elastix Web GUI. However, this 
address doesn’t work (I gave elastix 192.168.1.20). Why? 


IPTables (the linux firewall) is running and you must stop 
it to communicate with Apache. So, issue the following 
command: 


#service iptables stop 


You can also create a IPTAbles rule to bypass any port 
but it’s better to use host firewalling and disable any 
guest firewall in virtual infrastructure. 


Now, you can see the Elastix Web GUI but something's 
still wrong. Elastix doesn’t allow changing of the 
configuration. This is because of SELinux. 


Security-Enhanced Linux (SELinux) is a Linux kernel 
security module that provides a mechanism for 
supporting access control security policies, including 
United States Department of Defense—style mandatory 
access controls (MAC). 


SELinux is a set of kernel modifications and user-space 
tools that have been added to various Linux distributions. 
lts architecture strives to separate enforcement of 
security decisions from the security policy itself and 
streamlines the volume of software charged with security 
policy enforcement. We have two solutions: 
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Figure 1. Elastix 
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4’ 


Completely turning off SELinux at /etc/selinux/config. run re command "S1" 
You need to change the SELINUX option to disabled: 
SELINUX=disabled Copy vml to /etc/rc.d: 


Configuring SELinux to log warnings instead of block at #tcp vml /etc/re.d/ 
/etc/selinux/config. You need to change the SELINUX 
option to permissive: SELINUX=permissive and then 
issue this: 


Make it executable: 


#chmod +x /etc/rec.d/vml 


#setenforce 0 | 
Add vml script to /etc/rc.conf: 


And it’s done, Elastix is now up and running (see Figure 


1.) 


#echo ‘vml_ enable="YES”’ >> /etc/rc.conf 


So after rebooting the host machine, vml script will 


Make Contig Persistence initiate Bhyve configuration. 


Create a file and name it vm: Conclusion 


#touch vml _ a . 
Elastix installation is easy. Though, if you want to use 
FXO/FXS PCI-E hardware, you have to know about 


Open vml with ee and paste these commands to vm: 
Bhyve PCI Passthrough. The Bhyve hypervisor supports 


#1 /bin/sh the passing of PCI devices belonging to the host through 
to a virtual machine for its use, exclusively. In future, we 
/etc/rce.subr will talk about Bhyve PCI Passthrough and explain how 


to attach one device to specific Bhyve VM. 
name=vm1 


iCVar—=yml, Siab ie Useful Links 
Start. Omo="S (names start” https://wiki.freebsd.org/bhyve/pci_passthru 
Slop ‘cmd="s" https://www.amazon.com/Analog-Express-Connector-Elas 


tix-Freepbx/dp/BOOIK7F7KI 
load rc config $name 
https://www.elastix.org/docs/ 


S{vml enable:=no} _ 
— httos://wiki.freebsd.org/bhyve 


>{vml_msg="Nothing started."} http://indbsd.com/page/FreeBSD 


Wie Wee |) 
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ifconfig bridgeO create up 


ifconfig bridgeO addm em0 


1fconfig bridge) addm tap0 You can visit his site to view his CV: http://in4bsd.com 
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GETTING STARTED 


Reaay to Land on lol World 
with the Raspberry PI 3 


In the recent years, the small boards with that red fruit 
logo have become very popular. Before the “Pi’, those 
boards were known almost exclusively in university 
environments where they were used to learn to program, 
create small research projects, etc. With the emergence 
of Raspberry and their “Pi” board, the cost and ease of 
access to these devices has been reduced in such a way 
that uses and applications have exploded and seem to 
have no ceiling. In addition, the company has made a 
very appropriate approach, facilitating the adoption since 
the beginning (with tutorials, helps, images, forums etc.) 
and showing a clear roadmap where we see possibilities 
for our projects are nearly limitless with the Pi. 


There are also some utilities like NOOBS (New Out Of 
Box Software) to help newbies with questions like, “/ 
already have it, and now what?” 


| acquired the Raspberry Pi 3 (on the picture) a few 
months ago. It’s not their latest model, where again, the 
power and speed have been slightly increased. In my Pi 3 
model, the main improvement in face of the previous 
versions was the inclusion of WiFi and Bluetooth modules 
on the same board, which made no longer necessary to 
connect a USB to provide these capabilities. That meant 
easiness but also a reduction in need of power supply. 
It's not just the manufacturer and the fan community 
bringing new developments, also big companies like 
Microsoft, IBM or Ubuntu are making contributions and 
encouraging the use of these small devices. 


What is the main objective? First of all and thanks to 
the easiness to add different sensors, the Internet of 

Things (or /oT), could be one of them, then automation, 
gaming (specially retro),... and for sure always learning. 


From the research I’ve done these past months, we've 
seen new versions of: 
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Raspbian -> it's a Linux distribution based on Debian. It’s 
the most popular within the Raspberry Pi world. The last 
version was called Raspbian Jessie and includes Pixel, a 
new graphic interface optimized for the Raspberry Pi. 
Pixel stands for “Pi Improved Xwindows Environment, 
Lightweight’. 


IBM -> Watson lol & Bluemix for Raspberry Pi Great for 
connecting services oriented to loT. 


Microsoft -> Windows loT Core for Raspberry Pi A new 
version of the popular OS thought for loT. 


Ubuntu -> Ubuntu Mate for Raspberry Pi The version of 
this Known Linux distro adapted to the Pi. 


Since I have no previous experience with 
programming, | have mainly focused on the process of 
searching for information, reading manuals, watching 
video tutorials and examples on Youtube etc. But 
certainly, one of the great attractions that | see is to do 
with my automation project, and have it connected to the 
cloud or Watson and provide it with some artificial 
intelligence (Al). 


As you can see, I’m still in my infancy around Raspberry 
Pi, but the ideas don't stop coming, so | intend to share 
my advances. | have also recorded and uploaded to my 
YouTube channel the first boot of the Raspberry Pi 3 in 
Raspbian with a graphical interface. The Raspberry Pi is 
OS agnostic, meaning that you can use it with the OS that 
you prefer (different Linux distros, Windows etc.). In my 
learning and tests, I’m using Raspbian as | mentioned. 
Most of the steps and commands will be very similar in 
other Linux distros. I’m learning and doing these 
experiences during my spare time. Thus, my progress is 
slower than | expected. Anyway, let’s put some meat to 
this article. Here are the first steps, “from newbie to 
newbie’ ;-) 


Be sure to have a keyboard and mouse so that you can 
use them for the Raspi. At least for the initial 
configuration, since you'll see that afterwards, it’s quite 
easy/comfortable to access it remotely. 


Take a microSD card (the size will depend on what you 
want to do, a minimum of 4GB), the faster the better. 
Install the Operating System (I’m using Raspbian) on the 
card. There are great official guides for that. Once 
finished, insert the card in the Raspi. 


Plug the Raspi to a screen through HDMI, to the internet 
through an ETH cable and to a power source using the 
microUSB port. You can use the keyboard and mouse 
either through USB or Bluetooth. Allow it to boot the 
system and complete the initial setup. 


In case you had any issue with screen, run “raspi-config” 
from the terminal. It's the main configuration tool in 
Raspbian. Check options for keyboard, screen, etc. On 
the “Advanced options”, be sure you enable “SSH”. This 
is the way we will use later on to access remotely. 


lf you don't have a ETH cable at a hand, once booted, | 
suggest to configure the Wi-Fi. If you’re a newbie as | am, 
you probably have chosen to start with graphical 
interface. So, configuring Wi-Fi is very simple. The same 
way you would do on your desktop PC, clicking on the 
“Wireless” logo. 


Test the internet connection. Open a Terminal and 
perform a system upgrade. It’s always better to have the 
last version of the system and packages we will be using. 
The root password is initially disabled by default. Use 
“sudo su” to gain root access into the terminal or simply 
add “sudo” before the commands. 


sudo apt-get update 


This will update the lists from which our system is taking 
the different packages. 


sudo apt-get dist-upgrade 


This instruction will update all the installed packages 
(including the system kernel) to their latest version. Once 
the system is updated and running, we can finally start 
using it. Up to now, | have completed three different 
mini-projects that | will describe later. Since | have 
different microSD cards available, | saved those “projects” 
on a different card, each one. Quick presentation: 


Learning to code and tests: Its my main card. | have the 
latest Raspbian version with the different tools I'm using 
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to learn how to do things with the Raspi, and to code. For 
the moment, I’m trying to learn Python, although | have 
also tried a little bit of Node-Red. Accessing through SSH 
is key, since | just have to supply power to my Raspi and 
gain access from any PC, mobile or tablet via Wi-Fi in a 
secured way. You always have the possibility of 
accessing via a Remote Desktop, with graphic interface. 
However, it's much slower and insecure (since the 
encryption is not included natively). 


Gaming center: Do you remember those old days with 
the NES? The NES (if you don't know it) was a classic 
Nintendo game console. | do remember it, specially on 
Christmas. This year, | had again a retro console in 
Christmas © For that, | used a customized version of 
Raspbian called “RetroPie” and connected my PS3 
controls through Bluetooth. 


Media center: | already have an Android box with Kodi 
and other apps that work very well. But since one of the 
most common uses for the Raspi is a home media center, 
| wanted to try it out. | chose another Raspbian modified 
version called LibreElec, whose main characteristic is that 
it automatically boots on Kodi and you can't touch system 
files to avoid “breaking it”. 


since this is my first article, | wanted to introduce what 
I've done or am doing. On future articles, | will develop 
more about those and other projects as well. In the next 
months, | want to build a “Alexa kind device’, and also a 
lol device using different sensors. | hope you have liked 
this experience and are willing to learn as | am doing. 
Please comment and share your questions, ideas, 
experiences, and | will be happy to read them! 


About the Author 


Manuel Daza is passionate about 
technology and of course human 
relationships, that is what brought him 
to a sales role into an IT company. 
After 10 years of career, he has 
developed a high knowledge in sales 
and negotiation, which combined with 
his background in International 
Marketing and Communications, helps him to better 
understand the full process of the sale. 

You will find his thoughts on his YouTube channel: 


https://www.youtube.com/user/mdabarb 
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Some time ago, | tried to solve some real-world geocaching/math problem. In my brute-force approach, | allocated a 
number of jobs on multiple-CPU machines rented from Amazon AWS and were running NetBSD/Xen. After doing so, | 
discovered that the load distribution was not utilizing all CPUs. NetBSD's processor sets were a first attempt to a 
workaround, but | wanted a proper fix, as this was apparently not specific to the Xen port but affected the NetBSD 
scheduler on all platforms. NetBSD developer Michael van Elst hinted me at the real problem, and he also provided the 
first patch to the problem. | did setup a test environment and ran some tests, and documented my findings in what is 
one of my favorite blog posts: 


Learning More About the NetBSD Scheduler (... Than | Wanted to Know) 


| had another chat with Michael on the scheduler issue, and we agreed that someone should review his proposed patch. 
Some interesting things arose from the discussion: 


| learned a bit more about the scheduler from Michael. With multiple CPUs, each CPU has a queue of processes that are 
either "on the CPU" (running) or waiting to be serviced (run) on that CPU. Those processes count as "migratable" in 
rungueue_t. Now and then, the system checks all its run queues to see if a CPU is idle, and can thus "steal" (migrate) 
processes from a busy CPU. This is done in sched_balance(). 

The "stealing" (migration) has a positive effect in that; the process doesn't have to wait to get serviced on the CPU it's 
currently on. On the other side, migrating the process affects both CPU's data and instruction caches. Therefore, 
switching CPUs shouldn't be taken too easy. 


lf migration happens, then this should be done from the CPU with the most processes that are waiting for CPU time. In 
this calculation, not only should the current number be counted in but also a bit of the CPU's history ishould be taken 
into account. So processes that started running on a CPU are not again taken away immediately. This is what is done 
with the help of the processes currently on migratable (r_mcount) and some "historic" average. This "historic" value is 
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taken from the previous round in r_avgcount. More or less weight can be given to this, and it seems that the current 
number of migratable processes had too little weight over all processes to be considered. 


What happens in effect is that a process is not taken from its CPU, left there waiting, with another CPU spinning idle. 
Which is exactly what | saw in the first place. 


Also, what | learned from Michael was that there are a number of sysctl variables that can be used to influence the 
scheduler. Those are available under the "kern.sched”" sysctl-tree: 


% sysctl -d kern.sched 

Kern esCheO.cachnent “Cine: Cache hotness time: (1m, E1cks) 

Kern senec wbalence per.o0; Baletice per1cd (1m G1cks) 

Kern. scned mim: Calch: Mitimal CoOune- OF Enieadcs. Tor Catching 
kern.sched.timesoftints: Track CPU time for soft interrupts 
kKerivsched. Kpreenpe pra: Minamum pricoracvy (oO Trigger kernel preemption 
Kern. SChec.Upreenp. pris Mibimum Priority LO Trigger User preemption 
kern.sched.rtts: Round-robin time quantum (in milliseconds) 
Kertnescneo.,prl Mins Minimal POSIX feal-ELme -priverivy 


kKernesChec.pri, Max: Maximal POSIX Peal-UTime priority 


The above text shows that much more can be written about the scheduler and its whereabouts. However, this remains to 
be done by someone else (volunteers are welcome!). 


Now, while digging into this, | also learned that I'm not the first to discover this issue; and there already exists another a 
PR on this. | have opened PR kern/51615, but there is also a kern/43561. Funny enough, the solution which has been 
proposed there is about the same, though with a slightly different implementation. Still, *2 and <<1 are the same as /2 
and >>1, so there is no change. And renaming variables for fun doesn't count anyways. ;) Last but not least, it's worth 
noting that this whole issue is not Xen-specific. 


Thus, with this in mind, | went to do a bit of testing. | had already tested running concurrent, long-running processes that 
did use up all the CPU they got, and the test was good. 

To test a different load on the system, | started a "build.sh -j8" on a (VMware Fusion) VM with 4 CPUs on a MacBook 
Pro. That nearly brought the machine to a halt - Though, what | saw was lots of idle time on all CPUs. | aborted the 
exercise to get me back some CPU cycles. | blame the VM handling here, not the guest operating system. 


| restarted the exercise with 2 CPUs in the same VM, and there | saw load distribution on both CPUs (not much wonder 
with -j8), but there were also quite some idle times in the ‘make clean / install’ phases, which I'm not sure if it is normal. 
During the actual build phases | wasn't able to see idle time, though the system spent quite some time in the kernel 
(system). Example top(1) output: 


load averages: 9.01, 8.60, 7.15; up 0+01:24:11 Je eos 
67 processes: 7 runnable, 58 sleeping, 2 on CPU 
CPUO states: 0.0% user, 55.4% nice, 44.6% system, 0.0% interrupt, 0.0% idle 
CPU1l states: 0.0% user, 69.3% nice, 30.7% system, 0.0% interrupt, 0.0% idle 


Memory: SLIM Act, YOM Tmacty 6756K. Wired,, 25M Exec, 322M Fide, 395M: Free 
Swap: 1536M Total, 21M Used, 1516M Free 


PID USERNAME PRI NICE SIZE RES STATE Ta WCPU CPU COMMAND 
27028 feyrer 20 5 62M 27M CPU/1 0200 %,7/4%5 0.952 cel 
728 feyrer 85 0 78M 3808K select/1 Leo Pseloe Oetion. pend 
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23274 feyrer Zi 5 36M 14M RUN/O O200 10.005 05495--ceEl 
21634 feyrer 20 C 44M 20M RUN/O 0200 7.006 03.3426 -cel 
24697 feyrer va > 1988K 2480K select/1 0:00 0.31% 0.15% nbmake 
24964 feyrer 74 S 11M 5496K select/1 0:00 0.44% 0.15% nbmake 
18221 feyrer AA 5 49M 15M RUN/O 0200: 2.00%. 0.107 cel 
14513 feyrer 20 5 43M 16M RUN/O OF00 2.005 0.100 cel 
518 feyrer 43 0 15M 1764K CPU/0 O202 0.00%. 0.00%. top 
20842 feyrer Zi. 5 6992K 340K RUN/O 0200: Us00e O23 005 286. 64—-—nech 
16215 feyrer 2 5 28M 172K RUN/O 0200: 02002 U.002- cel 
S922. teyrer 20 5 51M 14M RUN/O 0200: 0.006 U:005 cel 


All in all, I'd say the patch is a good step forward from the current situation, which does not properly distribute pure CPU 
hogs, at all. 


MEET Dr. Hubert Feyrer 


Can you tell our readers about yourself and your blog? 


Sure! I'm Hubert Feyrer and | encountered NetBSD while studying computer science. Back then, | came from the Amiga, 
and lots of people then ported Unix software to the Amiga. There was a "real" Unix available for the Amiga from 
Commodore, but it was an expensive commercial software. A group of enthusiasts tried to port Mach, but theirs was a 
little progress. Then one morning, Markus Wild turned up with a port of NetBSD to the Amiga, and that got the ball 
rolling - back in 1993. | stuck around at the University of Applied Sciences in Regensburg for quite some time, switching 
between studying, working at the CS department, working on my PhD and more work at the CS department. This also 
gave me lots of room to work on NetBSD. My blog at http://www.feyrer.de/NetBSD/blog.html is (as you may guess) 
about NetBSD. The first posts go back to 2004, and the link collection that it started from and that is still available go 
back to 1996. 


How you first got involved in blogging? 


When | was in academia and Linux started to grow big, attracting people long after NetBSD was popular in the 
(comparatively) tiny Amiga scene/ Then, dedicated Open Source / Linux events became en vogue. When | was invited to 
many of these events, | showed people what NetBSD was, and back then when the Internet came into fashion, | also put 
up some early NetBSD-related web pages - e.g. the postcard that | got in 1993 thanking me for NetBSD help. Things 
started out as a list of URLs of my own and other people, and this evolved into my NetBSD blog. See 
ntto://www.teyrer.de/NetBSD/ for that page which still serves as today's visual template for my blog. 


At first, everything was home-written software. Later, | switched to Blosxom for its simplicity. | Know there are a lot better 
and newer software, but Blosxom fits my purpose pretty well. One very nice feature of Blosxom is to add tags to 
postings, and | maintain a tag cloud of topics related to NetBSD - see the bottom of 
hito://www.teyrer.de/NetBSD/blog.html. | had the idea to work this into a documentation system, but this never got 
beyond adding a few standard tags - see hitp://www.feyrer.de/NetBSD/bx/tags.html. 


| use homegrown software for tracking progress on my blog and other selected pages, and I'm happy to see that it's still 
pretty highly frequented, even though my time for NetBSD has decreased somewhat after leaving academia. Today's 
access count is about 5.000 to 6.000 hits on my entire blog. My blog is also one of those aggregated at http://netbsd. fi, 
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and I'm always happy to add small blog posts anytime, Knowing that it will merge into the bigger stream of 
NetBSD-related content there. 


What’s the best thing a blogger can give to his readers? 


Insight and wisdom. Many of my blog posts are there to index external URLs with tags for easier retrieval via the tag 
cloud. But | really enjoy when | can gain new insights myself, pass on that wisdom and see people get back to me on 
that. 


Everyone has a favorite/least favorite post. Name yours and why? 


Least... besides many things, I'm the author of g4u, a hard disk cloning software (see hittp://www.feyrer.de/g4u ). Some 
time ago, the core code was taken by someone and incorporated their Linux-based derivative under GPL, without giving 
any credits. | did an analysis of this and shared the findings in my blog post as a documentation of the case. This 
example of my BSD licensed code being relicensed without my consent was unpleasant, and it got me to join many 
discussions. If you want a URL to look into this mess, start here: 


http://www.feyrer.de/NetBSD/blog.html/nb_2004091 7.html 


Favorite... wow, so many! We're talking about 13 years. Maybe one from the recent past: while solving a 
geocaching/math problem, | stumbled across a problem in NetBSD's scheduler, and worked with people from the 
NetBSD community to understand the issue, get a proposed fix. Actually, get that one tested and into the tree, and then 
adding proper documentation. This was spread out over several blog posts (plus some NetBSD problem reports and 
mailing list postings). In the end, the posting with the (my!) core enlightenment is this one: “Learning more about the 
NetBSD scheduler (... than | wanted to know)'', URL: 


http://www.feyrer.de/NetBSD/blog.html/nb_20161113_0122.html 


This story even made it to BSDtoday, a BSD-focused webcast. See 
http://www. feyrer.de/NetBSD/blog.html/nb_ 20161124 2128.html :-) 


What reason is there to choose Unix over another operating system from a programmer perspective? 


That's a broad question. What context do we watch this in - Windows and its whole Sharepoint / Excel / Visual-Whatever 
ecosystem? I'm afraid few people trapped in that universe either have an idea about the beauty and simplicity of Unix, or 
(probably more likely) they don't have a choice on the operating system they prefer to use. Greetings from the corporate 
world! :-) If you start out without any prior constraints, there are again many modern systems that are completely 
agnostic to the underlying operating system, in the web page business. There is a huge ecosystem around PHP, Ruby 
and Javascript that work pretty well on any Unix system, but also (more or less) on Windows. Coming from the former, 
the preference of Unix for these platforms is obvious. As an exercise, try automating SSH from your favorite scripting 
language on a Unix platform, and then see if it still works on Windows. Good luck! Going even deeper, leaving out all 
those existing frameworks with their layers of complexity added on top of the operating system: an operating system is a 
software which gives an abstraction to hardware. It comes with an interface to talk to the Unix shell and the C API in our 
favorite case. Those are simple and elegant, and can be combined to do many jobs. Like all those frameworks that make 
SO many wonderful things possible - all those Unix-based Web Pages, desktop environments like GNOME and KDE, 
databases, and lots of hardware where you don't even know, there is Unix inside. 


Of course, there is quite some insight in the "Unix" camp today with major players like Linux and the ones in the BSD 
camp. And while they all have great features of their own, what made them great are the simple concepts that come with 
Unix. At this point, I'd like to recommend an excellent book for those interested in the original Unix concepts, The UNIX 
Programming Environment" by Brian W. Kernighan and Rob Pike. 


The NetBSD 7.1 was released a few days ago. Can you tell us what the best change is if we compare it to the 
previous releases? 


4/ 


It has all the greatness of a major NetBSD release (NetBSD 7) but without the bugs - as it's an update to the NetBSD 7.0 
release. Seriously, 7.1 comes with many new and great features, while at the same time it uses the NetBSD 7.0 
codebase from the stable release branch. This does not add all the latest features (and bugs) in development, but only 
those that have ripened to a level of maturity, where developers took the labor to port them from the development 
(-current) branch to the netbsd-7 release branch. As a result, you can not only see a solid number of great new features 
in NetBSD 7.1 but also a very long list of security improvements and bugs that are fixed, making 7.1 the ideal base for 
(continued) long term support. 


Please, see the NetBSD 7.1 release notes for all the details: http://www.netbsd.org/releases/formal-7/NetBSD-7.1.html 
(geez, | didn't manage to blog about this. Shame on me!) 


What do you think is the future of NetBSD? 


The goal of the NetBSD project is to provide a free, secure and portable Unix-like Open-Source operating system. | think 
this sums it up pretty well - NetBSD comes from early BSD, has evolved a lot over time while being true to itself, and | 
think we will see what the greater "Unix" universe expands to, and remain compatible. At some points, new features are 
adapted either because they prove to be good and mature (think threads, SMP - nothing that was there either in 1969's 
Unix nor in 1993's BSD!) or are required from a User perspective (like all those Linux ABI calls to run proprietary Linux 
software). Another part of NetBSD's feature is our great system for cross-compiling the whole system from many source 
platforms, and build code for many target hardware platforms. With more and more embedded and “Internet of Things" 
systems, this will become more and more important - and we have all this from a single source tree today. Thirdly, with 
NetBSD's great base as an operating system, we can add a lot of freely available software on top of it - and for this, we 
have our great 3rd party software system, pkgsrc. 


Please tell us more about the projects you are involved with? 


Currently, there are no specific projects | am involved in. | currently have less time for NetBSD than | want. During that 
time, | follow the project and help out in various positions - e.g. assisting in projects like Google's Summer of Code, 
monitor internal and external news source and communication of those that | feel are relevant to the NetBSD community. 
For this, | plan to continue using my blog. But | also got access to post in the name of The NetBSD Project on Facebook, 
SO we will see what happens. :-) As for projects in the past, pkgsrc is alive and kicking, working on the next quarterly 
stable release. g4u is sort of sleeping right now, lacking time - yet | still feel strong for it, and | should find time to revive 
it, getting it close to NetBSD-current and do regular releases again. Maybe | will make this my next project, again! 


Thank you 


Scheduler-Series From My NetBSD Blog 
(URLs old to new) 


[20161105] NetBSD 7.0/xen scheduling mystery, and how to fix it with processor sets — 
http://www. feyrer.de/NetBSD/blog.html/nb_20161105_1754.html 


[20161109] Looking at the scheduler issue again (Updated) — http://www.feyrer.de/NetBSD/blog.html/nb_20161109_0059.html 


[20161113] Learning more about the NetBSD scheduler (... than | wanted to know) — 
http://www.feyrer.de/NetBSD/blog.html/nb_20161113_0122.html 


[20161222] Bringing the scheduler saga to the finishing line — http://www.feyrer.de/NetBSD/blog.html/nb_20161222 2113.html 


[20170109] Documenting NetBSD's scheduler tweaks — http://www.feyrer.de/NetBSD/blog.html/nb_201 70109_2108.html 
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FUNCTIONS: 


*® Cures Windows workstations and servers. 


iat bt 


# Verifies the quality of the anti-virus software currently in use. 


FEATURES: 

s Dr.Web Curelt! doesn't require installation and doesn’t conflict with any Known anti-virus; conse 
quently there is no need to disable the anti-virus currently in use to check a system with Dr.Web Cureit!. 

s improved self-protection and an enhanced mode for more efficient countermeasures against 
Windows blockers. 

s Dr.Web Curelt! is updated at least once an hour 


a The utility can be launched from removable media including USB storage devices. 


LICENSING FEATURES: 
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IN TERVIEVV 


Interview with Kalin Staykov 


Kalin Staykov is developer & DevOps engineer at 
one of the leading semiconductor manufacturers 
in Europe. He's leading a team of engineers 
focused on Unix based technologies aimed at 
building high amount of code for multiple 
architectures. His day-to-day work involves tool 
integration and support. In his spare time he 
often enjoys his Ham Radio hobby and his love 
for Photography. 


The Future of Unix Operating Systems 


| believe that Unix is here to stay — it is the one operating system which was born during the early days of computing 
technology and it's growing ever since. Nowadays, all Enterprise systems heavily rely on the stability and reliability it can 
offer. It is flexible, easy to adapt and enhance. It can be molded to meet almost every need. 


| see some new trends that put automation above the basic idea of Unix being straightforward and easy to understand. | 
see complex dependencies forming out of the desire to make up for common limitations. We are adapting to new ways 
of work, and | don't hide that I'm in favor of keeping it simple. | enjoy being able to easily see what is under the hood and 
read the script or trace an error back to its source code. The effort | have to put in troubleshooting is increasingly higher. 


Virtualization technologies changed the world for the better and yes — all sorts of clouds are forming from it. 
Decentralized services are the new mainstream, and our thoughts are bent under the pressure of disruptive marketing 
which promotes the passion for being online and using “The Cloud”. | see several layers of Unix technologies supporting 
the foundation of this new mainstream. This change has a high impact on the way we administer our systems. 


| used to be very protective of my servers. Back in the days, the OS was bound to one hardware piece that was the holy 
ground for all operations. | made backups of it, | kept checking hardware state, and wrote automated monitoring to 
easily spot even small fluctuations in the way my systems work. Now everything changed, and it's more likely that I'll 
put on a script to bring several new software containers out of my few hyper-visors rather than thinking about what went 
wrong with the system that crashed. Is this wrong? Maybe. It's a fast fix, so we go for it — that's how we work today 
under the pressure of delivering more and more. 


Technology is subject to constant change, and | see some good things happening. Still, | can't forget how beautiful Unix 
systems were destroyed by the business. My hope is that those past mistakes are not repeated and that there will 
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always be systems like BSD which are not hampered by the business. They should be the keepers of the technology in 
its purest form. 


Can you tell our readers about yourself and your role nowadays? 


I'm Kalin, and I'm the IT guy. OK, | guess that was how people knew me about 15 years ago when IT was still fresh, and 
people like me were an oddity. | was 15 years old when Internet was starting to become popular, and we had our first 
touch to it via dial-up phone modems. It was weird and time-consuming. A year later, | was introduced to Linux on a 
system that had only 8 MB of RAM. I recall that it took about one whole day to compile a kernel. 


The first time | touched a keyboard was on an 8-bit system, if we don't count the old school typewriter. | wrote my first 
program at the age of 14, and it did not print "hello, world". | was a system administrator for many years, and | 
concentrated on Sun Solaris systems mostly. Nowadays, | consider myself a DevOps engineer on the good days and a 
bad programmer on the occasional bad day. 


How you first got involved with programming? 


| was staring at a greenish monitor. There was a prompt on the screen, and | asked a friend of mine "what now?". He 
introduced me to graphics, which involved writing three pages of Basic code just to see few big squares on the screen. 


Can you tell us more about what you think about DevOps? 


| think that the concept of DevOps is misunderstood by many. Some managers see it as the guy who is both an 
administrator and a programmer. Others think they are those smart guys, who put their whole infrastructure in code and 
orchestrate clusters of intelligent units, which run in a Cloud. Frankly, | don't dive into too many thoughts around 
concepts. In the end, we are just the Unix guys - we feel our way through the system via its shell and we don't ask too 
many questions. I've also heard about Windows DevOps engineers, but | don't have any evidence of their actual 
existence. 


What is your the most interesting programming issue and why? 
| wrote a small program that shows the meaning of life. But it never compiled. 
Please, tell us more about your current projects? 


I'm very much interested in Ruby and the Rails framework. | enjoy writing for web and drilling the web via 
semi-automated processing/crawler functions. There is so much information out there nowadays, and | enjoy "fishing" 
through it via code. 


Many of our readers started programming journey. Do you have any tips for them? 


Write some junk of code right at the beginning and try to have fun. Then, take a step back and learn the actual concepts 
of programming. If you do that right, it doesn't matter what language you'll pick and what your objectives are, all will go 
smoothly. Pick an actual project aS soon as you can - learning is easier when you have a target and a strict deadline. 


What is your favorite OS and why? 
MacOS for its beauty and ease of use, Linux for its flexibility and BSD for style! 
Do you have any specific goals for the rest of this year? 


| placed too much on my plate already, so surviving does it for me. Building something really cool on Ruby on Rails is the 
secondary objective. 


Thank you 
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Column 


With the wounds still open after another heinous terror attack in the heart 
of London, calls are already being made that security services must be able 
to decrypt messages from the Facebook-owned service, WhatsApp. In light 
of the recent revelations of CIA back-doors in smart televisions, is this 
bluff, rhetoric, or a call for further a political clampdown on free speech? 


Khalid Masood, the terrorist who slaughtered four 
innocent people last week, moments before he met his 
demise, sent an encrypted message which has prompted 
the Home Secretary to demand access to end-to-end 
encrypted messages by the government where 
necessary. While admitting encryption was essential to 
business and banking etc, this “floated kite” is allied to 
further pushes for Google et a/ to become content editors 
and screen out offensive content such as “fake news’ etc. 
So the relentless behind the scenes of battle of who 
controls access, opinion and communications transmitted 
digitally over a bunch of wires or through the air continues 
unabated, while the bodies of the deceased are not yet 
resting in their graves. Amber Rudd may find end-to-end 
encryption “completely unacceptable’, but personally, | 
find such fruitless political opportunism and sound-bites 
even more so while families are grieving, and the injured 
coming to terms with has happened. Unfortunately these 
comments come over 7/0 years too late — in the case of 
German encryption and thousands of years in the case of 
the cruder Roman variety. It would appear a lot of people 
are really more scared of technology than of maniacs. 


That politicians and investigative journalists are amongst 
the most active users of encryption (a fact that our Home 
Secretary conveniently forgets to mention) is a moot 
point. | don't think the lady would be too impressed if all 
her correspondence appeared Hillary Clinton style on 
Wikileaks. | won't even bring into the discussion the 
whole issue of dissidents from many nations that have 
managed to get their messages out. Nor will | rise to the 
bait of the old line “If you have nothing to fear, you have 
nothing to hide”. Such rhetoric reveals a naive confidence 
in justice, equality, and fairness. Just ask any politician or 
journalist. 


This is what | believe. The lessons from World War II 
taught the Western nations much about the importance of 
signals intelligence, but more importantly, how crucial it is 
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to infiltrate the other side and get the keys to the 
kingdom, by hook or by crook. As good quality encryption 
is pretty much a dark art on the same scale as quantum 
physics, alchemy, or casting out demons, the established 
order realized this and co-opted those involved. This 
would be an astute political move, as not only do you 
have plausible deniability but you can argue your support 
free speech, privacy, etc. while knowing damn well when 
push comes to shove you have the upper hand. Bluff, 
double bluff and counter bluff. Of course, | could be 
wrong, but on the balance of probabilities, | think | have a 
good argument here. The deep state will as a priority 
protect their interests, their secrets, and naturally, their 
assets. 


On the other hand, Amber Rudd may have a point which 
will redress the cock-up rather than the conspiracy side of 
the argument. The government is notoriously 
disconnected from the forces that dominate the 
technology marketplace, slow to adapt to rapid changes 
in society. It may well be that Google, Facebook etc. do 
have the edge and the government is locked out. In which 
case, there are some sensitive questions to be asked — 
none of which will ever probably be answered 
satisfactorily for both commercial and security reasons. 
Firstly, do the major players have backdoors or access to 
encrypted data that they have not disclosed to the 
security services? If they don’t, does the author of the 
original encryption algorithm’? Such matters place all the 
parties at major risk of legal and physical peril. If you are 
the only keyholder to an immense kingdom, you hold a 
phenomenal amount of power. Of course, the more 
people you share this with, the greater the risk that your 
security will be compromised. Secondly, is there an 
encryption algorithm out there that has not been secretly 
broken by some government somewhere? Again, in the 
land of subterfuge, misinformation and propaganda where 
the intelligence and secret services reside, this question 
will very likely remain honestly unanswered. Even if the 


political will to demonize a political opponent was 
overwhelming, the commercial consequences to 
Suggesting your opponent could perform this would be so 
huge the risk would be too great. And if as a government 
you could perform this sleight of hand, it would be in your 
best interests to keep very, very quiet about it. It is no 
wonder security researchers and coders tend to be a bit 
paranoid. The truth will be very hard to find, even less so 
to admit. It is like trying to nail jelly to a wall with a 
drawing pin. 


In an ideal world, there would be no need for encryption, 
guns, armies, police officers or some would even say, 
politicians. To whom and the content of the message sent 
by Khalid Masood may never be known. Irrespective of 
this, what we should be aiming for is a transparent 
government and private communications (not the other 
way round) with the caveat that a judge or jury can 
authorize access to decryption where there is sufficient 
probable cause for investigation. Anything else is an 
overreach of authority. 


As Albert Einstein said, “| know not with what weapons 
World War III will be fought, but World War IV will be 
fought with sticks and stones’. Encryption — like the 
nuclear arms race — follows the same cultural pathology. 
In the 1960's, people were worried about the 
consequences of nuclear war with Russia, and the 
current generation is gradually waking up to the threats 
posed by globalism and the Internet at large. Even if the 
Home Secretary does manage to strong-arm the industry 
into opening the Pandora’s box of decryption on demand, 
tragically it will not stop the barbarism that occurred last 
week from continuing. Even if you banned sticks and 
stones, that intent on violence and harm would just use 
their hands. 


About the Author 


Rob Somerville has been passionate about technology 
since his early teens. A keen advocate of open systems 
since the mid-eighties, he has worked in many corporate 
sectors including finance, automotive, air- lines, 
government and media in a variety of roles from technical 
support, system administrator, developer, systems 
integrator and IT manager. He has moved on from CP/M 
and nixie tubes but keeps a soldering iron handy just in 
case. 


BSD 


MAGAZINE 


Editor in Chief: 
Ewa Dudzic 


ewa@bsdmag.org 
www.bsdmag.org 


Contributing: 
Renan Dias, Rob Somerville, Hubert 
Feyrer, Kalin Staykov, Manuel Daza, 
Abdorrahman Homaei, Amit Chugh, 
Mohamed Farag, Bob Cromwell, David 
Rodriguez, Carlos Antonio Neira Bustos, 
Antonio Francesco Gentile, Randy 
Remirez, Vishal Lambe, Mikhail Zakharov, 
Pedro Giffuni, David Carlier, Albert Hui, 
Marcus Shmitt, Aryeh Friedman 


Top Betatesters & Proofreaders: 
Daniel Cialdella Converti, Eric De La Cruz 
Lugo, Radjis Mahangoe, Daniel 
LaFlamme, Steven Wierckx, Denise 
Ebery, Eric Geissinger, Luca Ferrari, Imad 
Soltani, Olaoluwa Omokanwaye, Radjis 
Mahangoe, Katherine Dizon and Mark 
VonFange. 


Special Thanks: 
Denise Ebery 
Annie Zhang 

Katherine Dizon 


Senior Consultant/Publisher: 
Pawet Marciniak 


Publisher: 
Hakin9 Media SK, 
02-676 Warsaw, Poland Postepu 17D Poland 
worldwide publishing editors@bsdmag.org 


Hakin9 Media SK is looking for partners from 
all over the world. If you are interested in 
cooperation with us, please contact us via 


e-mail: editors@bsdmag.org 


All trademarks presented in the magazine 
were used only for informative purposes. All 
rights to trademarks presented in the 
magazine are reserved by the companies 
which own them. 


a 


Rack-mount networking server 
Designed for BSD and Linux Systems 


Server 


se fe fe ee fe 


DESIGNEDFOR DESIGNEDFOR DESIGNEDFOR DESIGNEDFOR 


Up to 5.5Gbit/s 


a | 
free BSD ——- S routing power! 


Designed. Certified. Supported 


6 NICs w/ Intel igb(4) driver w/ bypass BGP & OSPF routing 

Hand-picked server chipsets Firewall & UTM Security Appliances 
Netmap Ready (FreeBSD & pfSense) Intrusion Detection & WAF 

Up to 14 Gigabit expansion ports CDN & Web Cache / Proxy 

Up to 4x10GbE SFP+ expansion E-mail Server & SMTP Filtering 


contactus@serveru.us | www.serveru.USs 
8001 NW 64th St. Miami, LF 33166 | +1 (305) 421-9956 


NOT ANYMORE! 


IXSYSTEMS DELIVERS A FLASH ARRAY 
FOR UNDER $10,000 


A high performance all-tlash 
array at the cost of spinning disk. 


10TB of all-flash storage for less than $10,000 Perfectly suited for Virtualization, Databases, 
Unifies SAN/NAS for block and file workloads Analytics, HPC, and M&E 


Runs FreeNAS, the world’s #1 software-defined Performance-oriented design provides 
storage solution maximum throughput/IOPs and lowest latency 


Maximizes ROI via high-density SSD 


OpenZFS ensures data integrity aos . 
technology and inline data reduction 


Scales to 1OOTB In 2U 


The all-tlash datacenter is now within reach. Deploy a FreeNAS Certified 
Flash array today from ixsystems and take advantage of all the benefits 
flash delivers. 


For more information, visit today. systems 


